1 Topic by jmartindf

  • jmartindf
  • Member
  • Offline
  • Registered: 2020-04-19
  • Posts: 3

Topic: Locking down with Mailroute

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubuntu 18.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I'm planning to use Mailroute to process all incoming email for my server. I want to lock it down so that only Mailroute can deliver mail to the server, but I also want to allow users to send mail out from the server. I think that I need a policy that:

Blocks everything, unless
1. The IP address is from the Mailroute block of IPs
-or-
2. The sender is SMTP authenticated

How can I do this? It's not clear to me if the global blacklist can blacklist absolutely everything, allowing me to then whitelist just the Mailroute IPs. And if I can do that, how do I add an exception for senders who are SMTP authenticated?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Locking down with Mailroute

How about use iptables firewall directly?

3 Reply by jmartindf

  • jmartindf
  • Member
  • Offline
  • Registered: 2020-04-19
  • Posts: 3

Re: Locking down with Mailroute

ZhangHuangbin wrote:

How about use iptables firewall directly?

That takes care of #1 easily enough, but locks me out of sending emails over SMTP, since I’ll be connecting from home, work, cellular, etc.

4 Reply by jmartindf

  • jmartindf
  • Member
  • Offline
  • Registered: 2020-04-19
  • Posts: 3

Re: Locking down with Mailroute

I think I can just edit /etc/postfix/main.cf and use Postfix to enforce this.

First, add Mailroute to mynetworks.

mynetworks = 127.0.0.1 [::1] 199.89.0.0/21

Then enforce that all connections have to come from mynetworks or authenticated clients.

smtpd_client_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject

This seems to work like I want it to.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Locking down with Mailroute

Thanks for sharing. smile