Restrict inbound SMTP - only accept from defined IP list

[bproven]

We currently use a Spam/AV "scrubber" service called MXLogic that acts as an external gateway for our Exchange server. We are planning a migration to Scalix and need to be able to configure Scalix to only accept SMTP connections (inbound) from the MXLogic servers and also to forward ALL external email to the MXLogic servers (outgoing). I gather that the latter would be setup by configuring Scalix to use a Smarthost/relay for outbound/forwarding as such (taken from KB):

Code: Select all

Set the DS macro in the sendmail.cf file on the Scalix Server. Change the file from:

# "Smart" relay host (may be null)

DS

to

# "Smart" relay host (may be null)

DSoutboundserver.domain.com

where outboundserver.domain.com is the name of your internet-bound (messages) server/Smart Host.


However I am confused as to how to configure Scalix to only accept connections from the MXLogic servers which are defined by IP (they provide a pool of IPs). I am guessing this is done in the smtpd.cfg but I am confused as to exactly how to do it. In Exchange 2003 I configured this by going to properties on the 'default SMTP virtual server', access tab, connection control, and explicitly adding only the MXLogic server IPs that are allowed to connect. How is this done in Scalix?

I appreciate the help - BTW I plan to move to Scalix 11 - I am not sure if the config differs between 10 and 11 "or if the docs have caught up yet" Thanks.

[dkelly]

The comments in the smtpd.cfg file give details on the SUBMIT rule that you can specify. However, if you are using SWA, please ensure that you also include the IP address of your SWA server ( even if it's the same as the Scalix server ).

Cheers

Dave

[bproven]

Thanks for your input. Using my interpretation of the smtpd.cfg file options I came of with this (most commented lines have been removed):

Code: Select all

EXTENSIONS=AUTH,DSN,8BITMIME

# Uncomment the following lines to enable the Submission and LMTP listeners
SUBMIT=ON
#LMTP=ON


# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .myinternaldomain.local
RELAY accept .mydomain.com
RELAY accept mydomain.com
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
SUBMIT <ipaddress-of-mxlogic>
SUBMIT <ipaddress-of-mxlogic>
SUBMIT <ipaddress-ofs-SWA-server> #In my case its local so it would be "127.0.0.1", correct?
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix


Will the above do the trick? I basically turned "SUBMIT" on by uncommenting that line and then added the SUBMIT lines for mxlogic servers and SWA server (localhost)

Thanks again for your assistance - it is appreciated.