How to limit connections to known senders

[liverpoolfcfan]

At present all of our email goes through external spam filters before delivery to us. So I know the 3 possible ip addresses that will connect to our server to deliver emails.

We have a new requirement for SSL verified email from a few clients. I am adding a new sub-domain MX record for these people to allow them to send email directly to us.

What I want to do is to limit incoming connections on port 25 to a known list of senders - either by IP address or domain name - whichever is easiest and most efficient to manage.

What is the best way to go about this ?

Is there a Postfix lookup I can setup ?

Or should I use iptables ?

Or something different ?

Thanks in advance.

[phoenix]

As your Zimbra server is only receiving mail from your spam filters I would have thought that a firewall would be the easiest thing to use (and not cause any upgrade problems). Is the Zimbra server not behind a firewall already?

[liverpoolfcfan]

Quote:

Originally Posted by phoenix

As your Zimbra server is only receiving mail from your spam filters I would have thought that a firewall would be the easiest thing to use (and not cause any upgrade problems). Is the Zimbra server not behind a firewall already?

That is the current situation.

But the new requirement is for up to 20 companies to send mail directly to us bypassing the spam filters - as they need to see a validated SSL certificate for our domain.

so mx for mydomain.xy will point to the remote spam filters, and
mx for direct.mydomain.xy will point directly to our server.

So, in future there could be up to 40-60 mail servers connecting directly to us

[phoenix]

I'm assuming that mail from the external server will be from specific domains so what about Restrict Postfix Recipients, I also assume you'll be adding the smtpd_reject_unlisted_recipient (if you don't already have it)?

[liverpoolfcfan]

Bill,

Thanks. That is very useful for further restricting the access. Just set it up and tested it for a few users, and it works great.

If I understand it rightly, these adjustments to main.cf have to be re-added any time I upgrade. Is that correct ?

Is it safe to have the recipients/senders/tls files in the zimbra directory structure ? Will they not get blown away by an upgrade ? I had placed my tls_polity_table file in /etc as I was afraid it would get deleted during an upgrade.

At a basic level - would I be best to add iptables rules to allow only the 40-60 known IP addresses connect to the server. Or, is there also a postfix lookup for allowed sending hosts I could use ?

Thanks again.

[Klug]

Hi Vincent,

Quote:

Originally Posted by liverpoolfcfan

If I understand it rightly, these adjustments to main.cf have to be re-added any time I upgrade. Is that correct ?

Yes.

Quote:

Originally Posted by liverpoolfcfan

Is it safe to have the recipients/senders/tls files in the zimbra directory structure ? Will they not get blown away by an upgrade ? I had placed my tls_polity_table file in /etc as I was afraid it would get deleted during an upgrade.

I guess if you create a new folder in /opt/zimbra and put everything in it, it won't be deleted.
But (I've learnt the hard way) if you put something in /opt/zimbra/jetty/whatever for example, it gets deleted on update...

Quote:

Originally Posted by liverpoolfcfan

At a basic level - would I be best to add iptables rules to allow only the 40-60 known IP addresses connect to the server. Or, is there also a postfix lookup for allowed sending hosts I could use ?

You can add them to "mynetworks"?
ZimbraMtaMyNetworks - Zimbra :: Wiki