SMTP Proxy listen on sub interface only?

We're looking at limiting the smtp proxy listening on all interfaces. Now I can see that it can be limited to x interface/s but can it be limited to a sub interface ie an additonal IP

eg. eth0 = WAN 2.2.2.2/27 with addtional IP's of 2.2.2.3, 2.2.2.4 etc

Can it be limited to above example 2.2.2.4 or will it just simply listen on all IP's on that /27 subnet?

  • Hi Louis,

    Two NAT rules, in order:

    NONAT : Internet -> {25, 465, 587} -> {2.2.2.4}
    DNAT : Internet -> {25, 465, 587} -> External (Network) : to {240.0.0.1}

    That blackholes all SMTP traffic to the other IPs.  Is that what you were looking for?

    Cheers - Bob

  • In reply to BAlfson:

    Not quite sure there Bob.

    This is for the SMTP proxy on the UTM which by default, listens on ALL interfaces. We have a WAN with a /27 so the WAN has one IP with the other IP's as additional IP's.

    Going into the SMTP proxy on the UTM, we can select a unique interface but it only allows the primary interface IP or other interfaces eg vlans.

    It doesn't allow you to select the additional IP's on the primary interface.

  • In reply to Louis-M:

    Online Help:

    Listen Interfaces

    By default, the SMTP proxy listens on all interfaces on ports 25, 465, and 587 for incoming email traffic.

    To listen only on particular interfaces, select the option Custom Interfaces and add interfaces to the Allowed Interfaces box. Click Apply.

     

    Seems like it is only the WAN Interface object. So you should be able to add the Alias Interface there,. 

  • In reply to LuCar Toni:

    It can be made to listen on any custom interface only. But it can only be limited to listen on the primary IP of that interface, not just listen on an additional IP on that interface only.

    So it appears to be a little limited eg in the above example, you can get it to listen only on 2.2.2.2/27 (Primary IP of the interface) but not listen only on 2.2.2.3 or 2.2.2.4 (additional IP's of the interface).

  • In reply to LuCar Toni:

    Cool, Tony - I didn't see when that was added.

    Cheers - Bob

  • In reply to Louis-M:

    Did you try the NAT rules, Louis?  According to #2 in Rulz (last updated 2019-04-17), the DNAT should blackhole traffic on other IPs before the traffic can reach the SMTP Proxy.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    I do believe it may have worked. A little more testing but it's looking promising. I'm wondering if I can put all of those IP's into a group and just have the one DNAT rather than multiple DNAT's for each addtional IP:

    eg:

    traffic from: any
    using: smtp
    Going to: <<<Group with all addtional interface IP's>>>
    Change detination to: Blackhole IP

    And is it nessecary to create a firewall rule or automatic firewall rule for this or should you just not create a firewall rule?

  • In reply to Louis-M:

    Brill.... it worked a treat. SMTP only replying from 1 IP address now instead of from all additional IP's as well.

    Cheers Bob