Results 1 to 6 of 6

Thread: How to limit connections to known senders

  1. #1
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default How to limit connections to known senders

    At present all of our email goes through external spam filters before delivery to us. So I know the 3 possible ip addresses that will connect to our server to deliver emails.

    We have a new requirement for SSL verified email from a few clients. I am adding a new sub-domain MX record for these people to allow them to send email directly to us.

    What I want to do is to limit incoming connections on port 25 to a known list of senders - either by IP address or domain name - whichever is easiest and most efficient to manage.

    What is the best way to go about this ?

    Is there a Postfix lookup I can setup ?

    Or should I use iptables ?

    Or something different ?

    Thanks in advance.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    As your Zimbra server is only receiving mail from your spam filters I would have thought that a firewall would be the easiest thing to use (and not cause any upgrade problems). Is the Zimbra server not behind a firewall already?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    Quote Originally Posted by phoenix View Post
    As your Zimbra server is only receiving mail from your spam filters I would have thought that a firewall would be the easiest thing to use (and not cause any upgrade problems). Is the Zimbra server not behind a firewall already?
    That is the current situation.

    But the new requirement is for up to 20 companies to send mail directly to us bypassing the spam filters - as they need to see a validated SSL certificate for our domain.

    so mx for mydomain.xy will point to the remote spam filters, and
    mx for direct.mydomain.xy will point directly to our server.

    So, in future there could be up to 40-60 mail servers connecting directly to us

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    I'm assuming that mail from the external server will be from specific domains so what about Restrict Postfix Recipients, I also assume you'll be adding the smtpd_reject_unlisted_recipient (if you don't already have it)?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    Bill,

    Thanks. That is very useful for further restricting the access. Just set it up and tested it for a few users, and it works great.

    If I understand it rightly, these adjustments to main.cf have to be re-added any time I upgrade. Is that correct ?

    Is it safe to have the recipients/senders/tls files in the zimbra directory structure ? Will they not get blown away by an upgrade ? I had placed my tls_polity_table file in /etc as I was afraid it would get deleted during an upgrade.

    At a basic level - would I be best to add iptables rules to allow only the 40-60 known IP addresses connect to the server. Or, is there also a postfix lookup for allowed sending hosts I could use ?

    Thanks again.

  6. #6
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Hi Vincent,

    Quote Originally Posted by liverpoolfcfan View Post
    If I understand it rightly, these adjustments to main.cf have to be re-added any time I upgrade. Is that correct ?
    Yes.

    Quote Originally Posted by liverpoolfcfan View Post
    Is it safe to have the recipients/senders/tls files in the zimbra directory structure ? Will they not get blown away by an upgrade ? I had placed my tls_polity_table file in /etc as I was afraid it would get deleted during an upgrade.
    I guess if you create a new folder in /opt/zimbra and put everything in it, it won't be deleted.
    But (I've learnt the hard way) if you put something in /opt/zimbra/jetty/whatever for example, it gets deleted on update...

    Quote Originally Posted by liverpoolfcfan View Post
    At a basic level - would I be best to add iptables rules to allow only the 40-60 known IP addresses connect to the server. Or, is there also a postfix lookup for allowed sending hosts I could use ?
    You can add them to "mynetworks"?
    ZimbraMtaMyNetworks - Zimbra :: Wiki

Similar Threads

  1. Error 421 ? too many connections from IP Address
    By raj in forum Administrators
    Replies: 0
    Last Post: 04-02-2008, 10:08 PM
  2. Replies: 2
    Last Post: 02-29-2008, 02:08 PM
  3. Replies: 1
    Last Post: 10-28-2007, 02:35 AM
  4. Max concurrent connections
    By Nutz in forum Administrators
    Replies: 4
    Last Post: 07-27-2007, 08:29 AM
  5. Setting concurrent IMAP connection limit
    By Interkey JeffG in forum Administrators
    Replies: 6
    Last Post: 02-20-2006, 08:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •