• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Restrict mail receipt to a single subnet

B

bhelmick

Guest
I'm having a problem with restricting my Plesk 8.0 server to ONLY accept mail from a single subnet and I'm curious if anyone has a suggestion for how to go about this.

The reason why I need to do this is that I've purchased SPAM filtering services from mailroute.net for our entire server. Our MX record is changed to point to them and we are receiving mail through them without a problem. However, the issue is that spammers can simply ignore our MX record and go to the box directly; PSA-Qmail still happily accepts the mail. I've noticed that upwards of 60% of the SPAM we received after subscribing to their service did not go through mailroute.net indicating to me that spammers are still sending junk directly to the box. It's been more than six months since the MX switch so any TTLs and DNS caches should have WAY expired.

I've tried placing the mailroute.net subnet into the mail server whitelist, but the box still accepts mail from anyone.

I know this can be done directly through qmail. However, I'm always fearful of modifying anything from the command line without first consulting these forums. Not because I'm uncomfortable with manually editing the server, quite the contrary, I'm more concerned with angering Plesk.

Are there any suggestions as to how I should go about doing this in a Plesk friendly way?

Thanks.
 
I know the feeling, about not wanting to anger Plesk. How about using an iptables rule to filter access to port 25. Eg, if the default table policy is drop:

iptables -A INPUT -p tcp --dport 25 -s 1.2.3.4 -j ACCEPT
 
Excellent idea, but modifying iptables directly is out since the Plesk firewall module overwrites the configuration. However I could add this rule via the firewall module.

The "SMTP (mail sending) server" rule in the firewall module has an option that says "Allow from selected sources, deny from others"

I guess I could have found this in the manual, but honestly I never thought to look for changing what I figured would be a mailserver setting in the firewall.

Does anyone have an opinion as to why this wouldn't be a good idea?
 
After enabling this on my server I found there is an unintended consequence. Any of my users that relay their mail through the server are also now blocked. So any of my remote/mobile users cannot use the SMTP server at all now. This of course is very bad and I had to remove this firewall restriction.

The only thing I can think of to keep using this method is to have the SMTP server listen on a port other than 25 and have my mobile users set their mail clients accordingly. Of course the whole point is to alleviate spam and I have to believe that the spammers aren't ignorant to this and simply ping ports looking for any active and receptive SMTP servers beyond 25.

Is there another way to approach this?

Perhaps setting Qmail to listen on port 2525 and ONLY have it accept authenticated SMTP users would be the way to go. I'm not sure how to approach doing something like that, and again considering Plesk's reaction to changing Qmail.
 
You must log in or register to reply here.

Similar threads

D
Issue Plesk doesn't send cron notifications when mail service has never been activated
Replies
6
Views
2K
devTow
D
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
J
Issue 421-4.7.28 error when sending mail to Google server
Replies
5
Views
14K
mow
M
L
Question Outgoing mail mode - ipv6
Replies
11
Views
3K
hugosnel
hugosnel
A
Issue Mail of some Domains go to Spam
Replies
5
Views
2K
weltonw
W
Back
Top