Topic: Limit SMTP connections?

[Alan Stevens]

Hello Gurus,

I pass mail through an ISP's mail system (not our ISP) for virus scanning and spam filtering before having it delivered to our E-Smith (oops, I mean SME Server).  How can I best limit SMTP connections to the subnet , or domain of the ISP?

Alan--

[Nathan Fowler]

Basically, you only want incoming SMTP connections to be allowed by only your ISP's server, and no other SMTP server?

To do this, I would issue the following ipchains rule:

ipchains -A input -p tcp --dport 25 --source ! AAA.BBB.CCC.DDD/XX -j DENY -i ethX

Where AAA.BBB.CCC.DDD is the IP address and/or network number of the ISP's SMTP server and /XX is the CIDR notation of that respective subnet/host.

The exclamation mark denotes "deny all BUT AAA.BBB.CCC.DDD/XX" as is necessary.

-p tcp--dport 25 denotes protocol TCP, destination port 25 (SMTP)

ethX is the outward facing ethernet device, possibly eth0 or eth1.

Some common CIDR notation for subnet masks:
255.255.255.255 = /32
255.255.255.0 = /24
255.255.0.0 = /16
255.0.0.0 = /8

Hope this helped,
Nathan

[Alan Stevens]

Thanks Nathan,  

That probably is what I am looking for.  I didn't know if there was a way to have the smtp service refuse unwanted connections, but blocking at the firewall has the same effect.

How can I make this rule survive a reboot?  Is there a specific template, or config file that I need to record it in, or does entering it at the CLI make it persistent?

What about /etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowSMTP?  Is there a way to add this rule to a custom template of this file?

Thanks again,

Alan--

[Nathan Fowler]

I'm not sure about editing the fragment you specified, I run an older version of SME.  However, if you appended it to the bottom of /etc/rc.d/rc.local it would survive a reboot.  I'm not sure if rc.local is templated, you could check it out to see if it is and create a custom fragment.  If it's not templated, then just append it to the bottom.

Hope this helped,
Nathan