1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Restrict mail receipt to a single subnet

Discussion in 'Plesk for Linux - 8.x and Older' started by bhelmick, Nov 16, 2006.

  1. bhelmick

    bhelmick Guest

    I'm having a problem with restricting my Plesk 8.0 server to ONLY accept mail from a single subnet and I'm curious if anyone has a suggestion for how to go about this.

    The reason why I need to do this is that I've purchased SPAM filtering services from mailroute.net for our entire server. Our MX record is changed to point to them and we are receiving mail through them without a problem. However, the issue is that spammers can simply ignore our MX record and go to the box directly; PSA-Qmail still happily accepts the mail. I've noticed that upwards of 60% of the SPAM we received after subscribing to their service did not go through mailroute.net indicating to me that spammers are still sending junk directly to the box. It's been more than six months since the MX switch so any TTLs and DNS caches should have WAY expired.

    I've tried placing the mailroute.net subnet into the mail server whitelist, but the box still accepts mail from anyone.

    I know this can be done directly through qmail. However, I'm always fearful of modifying anything from the command line without first consulting these forums. Not because I'm uncomfortable with manually editing the server, quite the contrary, I'm more concerned with angering Plesk.

    Are there any suggestions as to how I should go about doing this in a Plesk friendly way?

  2. kerm1t

    kerm1t Guest

    I know the feeling, about not wanting to anger Plesk. How about using an iptables rule to filter access to port 25. Eg, if the default table policy is drop:

    iptables -A INPUT -p tcp --dport 25 -s -j ACCEPT
  3. bhelmick

    bhelmick Guest

    Excellent idea, but modifying iptables directly is out since the Plesk firewall module overwrites the configuration. However I could add this rule via the firewall module.

    The "SMTP (mail sending) server" rule in the firewall module has an option that says "Allow from selected sources, deny from others"

    I guess I could have found this in the manual, but honestly I never thought to look for changing what I figured would be a mailserver setting in the firewall.

    Does anyone have an opinion as to why this wouldn't be a good idea?
  4. bhelmick

    bhelmick Guest

    After enabling this on my server I found there is an unintended consequence. Any of my users that relay their mail through the server are also now blocked. So any of my remote/mobile users cannot use the SMTP server at all now. This of course is very bad and I had to remove this firewall restriction.

    The only thing I can think of to keep using this method is to have the SMTP server listen on a port other than 25 and have my mobile users set their mail clients accordingly. Of course the whole point is to alleviate spam and I have to believe that the spammers aren't ignorant to this and simply ping ports looking for any active and receptive SMTP servers beyond 25.

    Is there another way to approach this?

    Perhaps setting Qmail to listen on port 2525 and ONLY have it accept authenticated SMTP users would be the way to go. I'm not sure how to approach doing something like that, and again considering Plesk's reaction to changing Qmail.