Only accept email from a filter gateway.
Question asked by Larry Lubman - February 27, 2015 at 10:52 AM
Answered
OK, first of all, as pointed out in another thread, the "Incoming Gateway" section of the help for SmarterMail is really confusing.  Its terminology is a bit vague and ambiguous.  It is hard to tell if you're making that instance of SmarterMail an incoming gateway or if you're trying to configure that instance of SmarterMail to accept email from an incoming gateway.  It needs work.
 
Now to my question.  I'm using McAfee's Incoming Email protection service which is basically a SPAM filtering gateway.  I changed my MX records to point to their servers.  Problem is that the SPAMMERS are bypassing McAfee and using cached MX records or cached IP addresses and still going directly to my SmarterMail instance.  
 
So, how in SmarterMail do I set to only accept incoming email from McAfee's filter servers (I have the IP addresses) and still be able to send email from my email clients?  I'd like to avoid changing the IP address of my mail server if possible.
 
Thanks in advance!

10 Replies

Reply to Thread
0
Mark DeLore Replied
Larry, if you are requiring all of your mail to come from the McAfee have you tried restricting your smartermail servers firewall to only accept communication on port 25 to their IP?
0
Larry Lubman Replied
I'd like to set this through SmarterMail itself.  I think it would be pretty straightforward to be able to set the incoming gateway servers since SmarterMail itself can act as a gateway server.  Is this possible?
0
Employee Replied
Employee Post Marked As Answer
Hi Larry,
 
If you only want SmarterMail to accept SMTP traffic over port 25 for a specific IP you can do the following steps:
  • Login as system admin
  • Go to Security | Black List
  • Add the range of IP address you do not want to accept for example if your Gateway is coming from 10.10.10.15 you will black list 0.0.0.0-10.10.10.14 and 10.10.10.16-255.255.255.255. 
Now all SMTP traffic from port 25 will be blocked with the exception of your gateway.  If your customer are using email clients such as Outlook, Thunderbird, etc you will need to make sure you have an alternate SMTP port enabled or they will not be able to send emails.  To do this follow the steps below:
  • Login as the system admin
  • Go to Settings | Binding | IP Address | (edit IP(s) address) | Enable Submission Port
  • Click Save.
Now your customer can use email client to send though SmarterMail but all port 25 SMTP traffic will only be accepted from the specified IP address.  This way if spammer try to connect using a different IP address SmarterMail will reject it.
 
0
Larry Lubman Replied
Hi Brian,
This means that we need to change all of our email clients to use another port also, correct?  So, we'd set them to use for example port 587 on all email clients and only accept port 25 from our email gateway?
 
I guess this is the only way to do what I'm asking without making impossible for people to send email. Or, I guess we could put outgoing email on another IP address.
 
Thanks for your help,
Larry
0
Heimir Eidskrem Replied
The industry has been using port 587 for client submission for years. I am surprised you are not using that already. Several if not most ISPs are blocking port 25 except to their own mail servers. if you have mail gateways you should block all incoming port 25 expect from the gateways. let your firewall reject the traffic instead of you mail server.
0
Larry Lubman Replied
The mail server is indeed set up to use port 587 and while that is an industry standard now, Outlook still defaults to use port 25, so we'll need to go through all of our email clients and make corrections as necessary. Small price to pay to rid ourselves of the SPAM.
0
Heimir Eidskrem Replied
I think we all did that years back. Just send out a notification with instructions on how to change it, include a date when you will switch. Then fix everybody that didnt change. They will call you :) Not sure where you are located but I think every ISP in the US restricted port 25 years back.
0
Bump.
 
Hi Team,
 
We are currently in the same scenario - we have a Spam Filter, we have multiple users (1000+) on Dynamic IPs, using a variety of ports (25, 587, 465) and we have an issue where a number of users are getting Spam Attacks that are directed at the SmarterMail Instance and ignoring the MX records (which would route mail through the filter and block it)
 
Ideally - we would like to be able to set Smartermail to only accept unauthenticated connections on the inbound ports from specific IPs (the IPs of our SpamFilters) and to require authenticated connections for all other IPs.
 
It seems a major shortfall of the Smartermail product if this is not a possibility.
 
Thanks
0
Larry Lubman Replied
Yes, there was a suggestion about setting the SmarterMail Server firewall to only accept email from the SPAM Filter gateway, but are they referring to the server on which SmarterMail is running or within SmarterMail itself? We can't restrict at the Window Server level because this server does other tasks, so we need to set this within SmarterMail. I think this functionality does exist.
0
Matt Petty Replied
Employee Post
Could blacklist the entire IP range then whitelist the servers you'd like. I remember reading that solution from another user here on the community for a different (but related) topic.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread