Mail Preferences - localhost question

[pstechnology]

Hi. I have just read elsewhere on this forum that leaving Plesk in the default 127.0.0.0/8 setting in Server Wide Mail Prefernces, is in effect leaving the server open relay.

I changed it to 127.0.0.1/32 as per the advice I read, but then I questioned whether it should be 127.0.0.0/32 or 127.0.0.1/32.

Was I right to follow this advice and which localhost IP should it be? .1 or .0

Many thanks!

 

[jwdick]

From everything that I could read on the subject, it should be 127.0.0.1/32

I changed mine two weeks ago and have not had a problem with this setting.

 

[pstechnology]

Thanks for your advice.

Do you know if this applies to 7.5.4 as well as 8.01?

Thanks

 

[carliebentley]

Three weeks and counting.

I've had mine set to 127.0.0.1/32

for three weeks now with no ill effect.

Of course I haven't noticed a significant decrease in SPAM either. But for what it's worth it should not break your server.

 

[DCNet_James]

127.0.0.1/32 is universally known as a localhost IPv4 IP. The /32 is the CIDR mask for a single IP. 127.0.0.0/8 leaves that entire class A open. ARIN and other IP numbering registries recognize that Class A (127.0.0.0 - 127.255.255.255) as reserved space (See Here ).

From that page:
127/8 Sep 81 IANA - Reserved See [RFC3330] RFC3330 Info

Basically what can happen is because many spammers spoof reserved address space from 127.0.0.0/8 there is always the possibility that they can relay across your SMTP server freely. Locking it down to 127.0.0.1/32 or whatever your localhost resolves to on your machine, will provide access only to your specific machine. It has to be there or certain things fail, one being sending to remote email addresses (not hosted on your server) from server side applications such as Horde.

I have the following config and it works beautifully.

I've assigned 127.0.0.1/32 and each IP bound to my NIC as individual /32's in the white list. I have MAPS protection enabled using sbl-xbl.spamhaus.org, SMTP auth enabled, no POP b4 SMTP, no SPF lookups, and using strict user@domain long username authentication. I've had very good luck with this configuration for years now.

Someone had asked if this problem happened in PSA 7.5.4 and I do not think so. I only had to add 127.0.0.1/32 once I upgraded to PSA 8.x.

Thx
James

 

[DCNet_James]

Re: Three weeks and counting.

Originally posted by carliebentley
I've had mine set to 127.0.0.1/32

for three weeks now with no ill effect.

Of course I haven't noticed a significant decrease in SPAM either. But for what it's worth it should not break your server.

Try using ART's Gamera server project or look into external SPAM/Virus filtering service providers or appliances. The idea is to point your MX at the spamhost and let it take the brunt of the spam onslaught. Mail is then host routed direct to your PSA server. It works quite well if tuned right. I've dropped the load on my PSA servers quite a bit because they're not doing any AV processing (DrWeb disabled) and SA doesn't have as much work to do on a clean message.

I've built my own version of ART's project, but designed around Qmail, Simscan, ClamAV and SpamAssassin on FreeBSD. ART's project is RPM based for Linux distros which wouldn't readily work for me. Just a note I provide this service at a reasonable cost per domain or client. I'm also working on a similar setup with Exim as the MTA instead of Qmail because of its built in Call Ahead/Call Back functionality as a mail relay.

Thx
J