Topic: limit smtp inbound connection

[v8star]

Hi everybody,

I have to restrict the inbound smtp connection to a single source ip (an antispam appliance in another network). My customer does not have a firewall (sigh) but only a router from their isp that does not have a firewall: can only pat ports. I don't want to have tcp:25 exposed to the entire internet. ATM i have played with iptables with the following commands:

config setprop smtpd AllowHosts 123.123.123.123,456.456.456.456/32 DenyHosts 0.0.0.0/0
signal-event remoteaccess-update

-A InboundTCP -j InboundTCP_24020
-A InboundTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A InboundTCP_24020 ! -d 192.168.1.150/32 -j denylog
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 993 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j denylog
-A InboundTCP_24020 -s 123.123.123.123/32 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_24020 -s 456.456.456.456/32 -d 192.168.1.150/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_24020 -d 192.168.1.150/32 -p tcp -m tcp --dport 465 -j ACCEPT


Chain SMTPProxy (1 references)
target     prot opt source               destination
denylog    tcp  --  anywhere             anywhere            tcp dpt:smtp
with

Due to unavailability of smtp from external hosts (but only localnet) i deleted the rule in bold with:

iptables -D InboundTCP_24020 6

now it's working but i know at the next reconfiguration i will lose this rulesets.

I need help to create a valid custom template

Thanks in advance

[v8star]

i have just reconfigure the server for updates, the iptables configuration still exist, included the bold one (that limit smtp at all)

how i can reset the denyhost entry?

[Stefano]

you'd wonder just in case, using the DenyHosts/AllowHosts props, they were not in place anymore

[janet]

v8star

https://wiki.contribs.org/Template_Tutorial

[CharlieBrady]

I would recommend that you configure smtpd for access=>private, and then configure the appliance to connect via smtps.

[v8star]

I would recommend that you configure smtpd for access=>private, and then configure the appliance to connect via smtps.

with smtps i will need auth?

[Stefano]

yes, sure

[v8star]

yes, sure

so, in this case is not applicable because i can't pass any credential to my appliance as every appliance does

[Stefano]

do you mean that the AV/AS appliance doesn't support such a configuration?

[v8star]

yep: many antispam appliance i've tryed can't auth to mail server by desing. Relay must be open like from internal net: can change only port
In this situation in MsExchange (or hmail) i can define accepted source ip addresses for tcp:25 and for anonymous.





the best solution is a firewall in the customer network but in italy, IT security is not an investment, but a silly cost 

[CharlieBrady]

with smtps i will need auth?

Not for email messages which have a destination domain on your SME server. Auth is only required before relaying messages.