This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking all SMTP requests, except from my smarthost!

Hi

Situation is as follows:

  • I use the UTM SMTP Proxy functionality in order to use the spamfilter, and attach DKIM-information on ongoing mails!
  • Due to a public address within a DHCP scope, and the fact I can't get my ISP to make an PTR-record, I have to use a smarthost (upstream & downstream) I've created in Azure with postfix.
  • The checkmark "Allow upstream/relay hosts only" is checked, but the SMTP server is still answering on requests - I will get the 550 Access denied (not in relay or upstream list).

What I need:

  • The possibility to create a firewall rule, that will block all incoming SMTP connections.
  • and then a firewall rule, that will allow delivery of mail from my smarthost!

How to do? Can't seem to get it working...

Best regards

Flemming



This thread was automatically locked due to age.
Parents
  • "Your smarthost uses the smtp proxy if you have set it up in that tab, so a firewall rule will not apply. "
    I know, that's was the intention to use the smtp proxy all a long.

    "Depends on your existing firewall rules, but yes you can and you would put it at the top of the firewall rule table."
    I tried to make a SMTP drop/reject at the very top of the list (sources=any, services=smtp, Destinations=any)

    Best regards
    Flemming
  • You probably can setup some fancy dnat rule with source being your azure instance and your external address being the destination and change destination to external address (again) with automatic firewall rules checked. I am not sure what you are trying to achieve? If you define upstream hosts with allow upstream hosts only checked in webadmin, then the mail would only be accepted from upstream hosts only as you have noticed. Without an mx record for your UTM, the traffic that you will get on your UTM mail server IP address will be negligible.

    I know, I have had some weird IT managers with strange requests back in the day but was trying to wrap my head around the reasoning behind hiding your MTA completely from the internet when it is denying everything beside your upstream hosts.
Reply
  • You probably can setup some fancy dnat rule with source being your azure instance and your external address being the destination and change destination to external address (again) with automatic firewall rules checked. I am not sure what you are trying to achieve? If you define upstream hosts with allow upstream hosts only checked in webadmin, then the mail would only be accepted from upstream hosts only as you have noticed. Without an mx record for your UTM, the traffic that you will get on your UTM mail server IP address will be negligible.

    I know, I have had some weird IT managers with strange requests back in the day but was trying to wrap my head around the reasoning behind hiding your MTA completely from the internet when it is denying everything beside your upstream hosts.
Children
  • Hi

    What I'm trying to achieve is the following:

    1. use the smtp-proxy in order to use the spam-filter for in- and outgoing mails, and the possibility to tag my mails with DKIM-information.

    2. send and receive only from my smarthost.

    3. hide my smtp at my public address, as this address seems to be listed at sorbs duhl lists. This listing is being done, due to the fact that my public IP might be static... but it's located in a dynamic scope - and since my ISP suddenly stopped the possibility of getting an ptr, then it ends up in Sorbs duhl.

    And as I have a webserver on the same address, my maildomain is being coupled with this entry in Sorbs... and that entry is a pain!

    Therefore I need to hide my MTA - Sorbs DUHL

    regards
    Flemming
  • So, 1 and 2 are already accomplished by running smtp proxy. Use smart host to send outgoing in the outgoing mail settings and receive only from azure postfix on the incoming side.

    3. If you don't have an mx record pointing to your UTM then how is it getting blacklisted... I guess I am a little confused on this since all your outbound mail will be going via your smart host (white listed in sorbs) and incoming would be coming to your postfix in your mx record (again white listed in sorbs not that it matters for incoming mail).

  • Hi Billybob

    I couldn't agree more... and I suppose the listing is due to historical reasons, the mx-pointed to the address... and now they look at the address... I really don't know, but sorbs is starting to annoy the heck out of me...