Securing server from email filter service
Question asked by jjreed34 - November 26, 2017 at 3:37 PM
Unanswered
I have my mail filtered by a service DYNU,  to filter SPAM/Virus.  How can I lock down my Smartermail to only allow mail form their 2 MX servers?   My MX record is set to their incoming servers, they scan and hold the mail (if needed) and then forward to my server.  
 
Also, they have an option to communicate server to server via TLS/SSL, does Smartermail support this?
 
Finally after purchasing, installing, converting from hosted 11.7 SM to 15.7 SM, everything is working great!   Many tips from this forum were helpful.   And I did not want to go down the 16SM road yet.
 
Thanks
JJ

2 Replies

Reply to Thread
0
AFAIK, you cannot reliably allow incoming email from only certain addresses without making changes at the firewall level. You might be able to do this from within Windows Firewall or other 3rd party Windows program, but I use a filter on a Sonicwall firewall to allow only the IP addresses of my external filtering service on port 25 incoming; in my case the servers at Symantec Email Security.cloud. They utilize several IP ranges from around the world, and I only allow email from those address ranges.
 
Please correct me if I'm wrong! I do know that what I use works for me.
 
 
0
I believe you could whitelist their server addresses, and blacklist the IP ranges above and below to the blacklist. That should be sufficient on that front. 
 
As to ensuring your server is utilizing SSL/TLS for SMTP, you'll need to have/perform the following:
 
- SSL certificate bound to your server's host name or domain name (wildcard)
- SSL certificate bound to SMTP port definition in SM.
- "Use TLS if supported by the remote server" enabled under Protocol Settings>SMTP card.
- Standard SMTP disabled
 
This will force the server to utilize a TLS encrypted connection when communicating with outside servers. Now, if one of the spam servers ever tries to relay mail to your server while NOT using a TLS connection - the relay attempt will be dropped due to the lack of security. 
 
I'll double check the locations in my SM install this afternoon and follow up with some better instructions for you. 
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com

Reply to Thread