hi there,
is there a way to let smtpd only accept connections from certain ip/hosts?
I have a relay server as primary mx doing greylisting and then relaying to scalix smtpd server. It'd be a cool thing if smtpd would simply ignore connection attempts from any ip/host but this mail relay server. Or would I have to do that with iptables/bastille??
Thanks for help
smtpd to accept connections from defined ip/hosts?
Moderators: ScalixSupport, admin
-
fb
- Posts: 22
- Joined: Sun Jul 01, 2007 10:45 am
-
BaldBoy
- Posts: 141
- Joined: Fri May 19, 2006 12:45 pm
Assuming your config is based upon sendmail there is no way (at least that I know) to instruct smtpd to accept connections only from certain IPs.
On the other hand you can get the same result in two alternative ways: either you limit connections on port 25 using a firewall or you can limit access to smtp service using /etc/hosts.deny or /etc/hosts.allow. In this latter case it will linux wrapper to limit connections.
On the other hand you can get the same result in two alternative ways: either you limit connections on port 25 using a firewall or you can limit access to smtp service using /etc/hosts.deny or /etc/hosts.allow. In this latter case it will linux wrapper to limit connections.
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
/etc/mail/access
Play with the RELAY,ACCEPT, REJECT, DISCARD flags. Example:
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
200.200.200.200 RELAY # friendly IP
192.168.1.200 RELAY # friendly IP
192.168.1.201 ACCEPT # friendly IP
172.16.0.0 REJECT # unfriendly netblock
100.100.100.0 DISCARD # unfriendly netblock
0.0.0.0 REJECT # unfriendly internet!
Play with the RELAY,ACCEPT, REJECT, DISCARD flags. Example:
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
200.200.200.200 RELAY # friendly IP
192.168.1.200 RELAY # friendly IP
192.168.1.201 ACCEPT # friendly IP
172.16.0.0 REJECT # unfriendly netblock
100.100.100.0 DISCARD # unfriendly netblock
0.0.0.0 REJECT # unfriendly internet!
Jaime||||||||||||||||||||||||||||||||||||||||
-
chris
- Scalix Star
- Posts: 321
- Joined: Mon May 09, 2005 2:56 pm
- Location: Freiburg, Germany
-
fb
- Posts: 22
- Joined: Sun Jul 01, 2007 10:45 am
chris wrote:Actually, on a standard system, omsmtpd will be listening to the external address.
So you'll want to edit /var/opt/scalix/*/s/sys/smtpd.cfg
Look at the lines involving:
RELAY accept 127.0.0.1
Just add a similar line for your server and you should be good to go.
Chris
Hi Chris,
I have now only two RELAY accept lines in smtpd.cfg:
RELAY accept 127.0.0.1
RELAY accept RELAYSERVERIP
I restarted omsmtpd successfully but I can still connect from any IP in the world and send mails to it....
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
You need to understand what the flags do: RELAY,ACCEPT, REJECT, DISCARD
RELAY restricts "who" can use your mail server to *send emails out*.
To restrict who your server *receives emails from* you need to use a combination of one of the other 3 flags. This works similar to a if/then/else logic, and in sequence from the top.
ACCEPT from somebody. Be specific.
REJECT or DISCARD from everyone else that is left (o.o.o.o) or some specific IP.
If you reserve the order you may reject emails from everybody, even internal.
RELAY restricts "who" can use your mail server to *send emails out*.
To restrict who your server *receives emails from* you need to use a combination of one of the other 3 flags. This works similar to a if/then/else logic, and in sequence from the top.
ACCEPT from somebody. Be specific.
REJECT or DISCARD from everyone else that is left (o.o.o.o) or some specific IP.
If you reserve the order you may reject emails from everybody, even internal.
Jaime||||||||||||||||||||||||||||||||||||||||
-
fb
- Posts: 22
- Joined: Sun Jul 01, 2007 10:45 am
@jaime.pinto: thanks for your help BUT you forgot to mention the most important info: SUBMIT! 
To let Scalix only accept mails from certain servers, you'd simply have to add e.g.:
SUBMIT Accept 200.200.200.200 -> Accept incoming mails from this IP
SUBMIT Log_Reject ALL -> Block and log connection attempts from any other IP than listed above
Let me explain to you briefly my set up:
[COLO server: 200.200.200.200] --INTERNET--> [Scalix server: 192.168.1.2] <--INTRANET--> CLIENTS
I have the COLO server listed as MX record in the DNS; like this mail coming from the outside world is greylisted and scanned for viruses by the COLO Server and then relayed to the local Scalix server which does spam and virus checks again. 99,x% of the spam is rejected on COLO level because of the greylisting so scalix can focus on what it has been set up for...
One could go a step further and add some kind of escalation service which checks if the COLO server is still alive and if not:
1st update MX settings with Scalix server ip and
2nd update smtpd.cfg by adding a line: SUBMIT Log_Reject DNSBL,**theChosenDNSBLservices**,ALL and commenting the lines mentioned above
3rd restarting smtpd
Like this you can make sure that you're still receiving mails though your "primary MX" has crashed or is down for maintenance or whatever reason.
Now you could say, why should I do this and not simply having a secondary MX listed? Simple answer: Greylisting means a plain reject of a mail at first delivery attempt. If you'd have a secondary MX, all mail services would try to push its mail to this one instead of a retry to the primary MX. Greylisting wouldn't work then anymore if you don't have SQLgrey running and all MX servers check against a central greylist table.
PS: a fairly good explaination is in "Scalix_Setup_Guide_11.0.2.pdf"
To let Scalix only accept mails from certain servers, you'd simply have to add e.g.:
SUBMIT Accept 200.200.200.200 -> Accept incoming mails from this IP
SUBMIT Log_Reject ALL -> Block and log connection attempts from any other IP than listed above
Let me explain to you briefly my set up:
[COLO server: 200.200.200.200] --INTERNET--> [Scalix server: 192.168.1.2] <--INTRANET--> CLIENTS
I have the COLO server listed as MX record in the DNS; like this mail coming from the outside world is greylisted and scanned for viruses by the COLO Server and then relayed to the local Scalix server which does spam and virus checks again. 99,x% of the spam is rejected on COLO level because of the greylisting so scalix can focus on what it has been set up for...
One could go a step further and add some kind of escalation service which checks if the COLO server is still alive and if not:
1st update MX settings with Scalix server ip and
2nd update smtpd.cfg by adding a line: SUBMIT Log_Reject DNSBL,**theChosenDNSBLservices**,ALL and commenting the lines mentioned above
3rd restarting smtpd
Like this you can make sure that you're still receiving mails though your "primary MX" has crashed or is down for maintenance or whatever reason.
Now you could say, why should I do this and not simply having a secondary MX listed? Simple answer: Greylisting means a plain reject of a mail at first delivery attempt. If you'd have a secondary MX, all mail services would try to push its mail to this one instead of a retry to the primary MX. Greylisting wouldn't work then anymore if you don't have SQLgrey running and all MX servers check against a central greylist table.
PS: a fairly good explaination is in "Scalix_Setup_Guide_11.0.2.pdf"
Who is online
Users browsing this forum: No registered users and 2 guests