Hi Guys,
Here is the scenario - we host a MailEnable instance that is used by multiple users, all with dynamic IP addresses, by Websites that are hosted on the same server, in front of our MailEnable instance, there is an SpamFilter.
My issue is that currently - there are some users who are receiving spam that is sent directly to the MailEnable instance, since it is bypassing the SpamFilter, it is not getting filtered.
Something to note is that all Spam Filtering within MailEnable is disabled (by design) so that there is only place that our support staff need to check to see if an email is blocked.
I believe that the solution to my problem is to set the MailEnable instance to only allow inbound email that has authenticated - this however raises 2 questions:
1: For Web Apps that send using the localhost 127.0.0.1 (which is currently a priviledged IP) - will they still be able to send out?
2: Presumably I will need to setup an Administrative user for my SpamFilter to authenticate against MailEnable to deliver email? or if the SpamFilter/MailEnable doesn't have this capacity, then I will need to add the SpamFilter IP as Priviledged?
Thanks
Tim
Inbound SMTP restrictions
-
Brett Rowbotham
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Inbound SMTP restrictions
Why not simply change the inbound SMTP port on your ME instance to a non-standard value? As long as your spam filter can be set up to communicate on this non-standard port, your ME instance will no longer be locatable by the general public.
-
WindowsSysadmin
- Posts: 2
- Joined: Fri Dec 15, 2017 1:20 am
Re: Inbound SMTP restrictions
The server is used by Multiple users who are external - changing the inbound SMTP port values would require getting all of them to reconfigure their Mail clients. This is not an option.Brett Rowbotham wrote:Why not simply change the inbound SMTP port on your ME instance to a non-standard value? As long as your spam filter can be set up to communicate on this non-standard port, your ME instance will no longer be locatable by the general public.
Re: Inbound SMTP restrictions
Yes, you can block those connections by going into port settings and checking the "Requires connections to authenticate before sending mail" box.
Adding a privileged IP bypasses the authentication, so localhost won't be a problem. I would also suggest adding ::1 in addition to 127.0.0.1 if you have any IPv6 on the server.
Your user on the spam appliance does not need to be an admin user -- any user will work -- though adding the spam appliance IP address would probably be a cleaner solution.
I would NOT recommend relying on security though obscurity by changing the port number. It is a false sense of security. By all means change the port number if you like, but that action alone won't secure the server. If you are like most admins you probably already have 587 and 625 added, but make sure that auth and SSL is required on those as well.
Other Suggestions:
1) I would also check your DNS to make sure that you haven't left the MailEnable server as a secondary MX on any of the domain names. The spammers found the server somehow and are exploiting it, DNS is the most used method of finding the server.
2) I would also suggest checking the box to require SSL. Do this on all other mail protocols used (IMAP and POP) so that a someone in a coffee shop cannot sniff a client's password out of the air.
3) You have probably already done so, but check your logs and make sure that the spammer isn't using an authenticated connection. A weak password or a password sniffed over wifi would let them bypass your security - and a client's cell phone automatically checking email as they walk through a bogus wifi hot spot will open up your server if you don't require SSL.
Adding a privileged IP bypasses the authentication, so localhost won't be a problem. I would also suggest adding ::1 in addition to 127.0.0.1 if you have any IPv6 on the server.
Your user on the spam appliance does not need to be an admin user -- any user will work -- though adding the spam appliance IP address would probably be a cleaner solution.
I would NOT recommend relying on security though obscurity by changing the port number. It is a false sense of security. By all means change the port number if you like, but that action alone won't secure the server. If you are like most admins you probably already have 587 and 625 added, but make sure that auth and SSL is required on those as well.
Other Suggestions:
1) I would also check your DNS to make sure that you haven't left the MailEnable server as a secondary MX on any of the domain names. The spammers found the server somehow and are exploiting it, DNS is the most used method of finding the server.
2) I would also suggest checking the box to require SSL. Do this on all other mail protocols used (IMAP and POP) so that a someone in a coffee shop cannot sniff a client's password out of the air.
3) You have probably already done so, but check your logs and make sure that the spammer isn't using an authenticated connection. A weak password or a password sniffed over wifi would let them bypass your security - and a client's cell phone automatically checking email as they walk through a bogus wifi hot spot will open up your server if you don't require SSL.
