How to restrict access to the SMTP server 

Author:  Darrell May

Problem 1:  You want to restrict access to the SMTP server to allow only your ISP to connect and relay e-mail for your domain.

Problem 2:  You want to block someone from accessing your SMTP server and sending e-mails to your users.


Solution 1:  HowTo restrict access to the SMTP server to allow only your ISP to connect and relay e-mail for your domain.

Here are the steps required to restrict access to the SMTP server on e-smith so that only local networks and your defined IP ranges are able to connect to your SMTP server.  This is a good way to prevent hackers from accessing your SMTP server for spamming or for sending viruses.

In my case, I had a client who uses an ISP mail relay server for all inbound and outbound mail delivery.  The ISP checks for viruses inbound and outbound and I wanted to permit only the ISP mail relay server and local networks access to the SMTP server.  I wanted to block all other attempts to directly connect to the SMTP server, which would of course bypass the ISP virus check.


One file controls access to the SMTP server.  It is /etc/smtpd_check_rules which is actually a link to /var/spool/smtpd/etc/smtpd_check_rules.  A typical default setting is shown below:

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999, 2000 e-smith, inc.
#------------------------------------------------------------

# Don't allow bang paths via us
noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow two @s (equivalent to %hack) via us
noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow %hack relay via us
noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Allow relaying from the local network
allow:127.0.0.1:ALL:ALL
allow:192.168.1.0/24:ALL:ALL

# Prohibit access to these addresses from the outside world
noto:ALL:ALL:everyone@*.yourdomain.com everyone@yourdomain.com:551 Sorry %H (%I), you cannot send mail to %T from outside our local network.
noto:ALL:ALL:shared@*.yourdomain.com shared@yourdomain.com:551 Sorry %H (%I), you cannot send mail to %T from outside our local network.

# Allow any of our domains
allow:ALL:ALL:*.yourdomain.com *@yourdomain.com

# Just say no to anything else, we won't relay for people we don't know.
noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please use another SMTP host to mail from %F to %T

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------


Here is a look at the two most important Allow sections above:

# Allow relaying from the local network
allow:127.0.0.1:ALL:ALL
allow:192.168.1.0/24:ALL:ALL

This basically says, "allow full access inbound and outbound to the SMTP server if the source came from one of your local networks".  These networks are your defaults of course plus any others you assign via the e-smith-manager Local Networks panel.

# Allow any of our domains
allow:ALL:ALL:*.yourdomain.com *@yourdomain.com

This basically says, "allow full access inbound to the SMTP server if they are sending to yourdomain.com".  This is the one we want to change to restrict inbound access to our ISP relay servers.  To do this simply create a new template fragment as follows and edit the entry as appropriate.  In my case I wanted to restrict access to my ISP relay servers which use the IP range 209.17.184.0/24:

mkdir -p /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
cd /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
cp /etc/e-smith/templates/var/spool/smtpd/etc/smtpd_check_rules/60AllowLocalDomains .
pico 60AllowLocalDomains

Here is the original file:

{
local %services = (smtpd => $smtpd);
$OUT = '';

my $status = db_get_prop(\%services, "smtpd", "status");

if (defined $status && $status eq "enabled")
{
$OUT .= "# Allow any of our domains\n";

$OUT .= "allow:ALL:ALL:*.${DomainName} *\@${DomainName}\n";

my %domains;
tie %domains, 'esmith::config', '/home/e-smith/domains';

my $key;

foreach $key (db_get(\%domains))
{
if (db_get_type(\%domains, $key) eq 'domain')
{
$OUT .= "allow:ALL:ALL:*.${key} *\@${key}\n";
}
}
}
}

In my case, I simply needed to edit both lines of "allow:ALL:ALL:" to "allow:209.17.184.0/24:ALL:" which now restricts access to that IP range only.  Then to finish simply expand the template and restart SMTP.  I choose to execute these commands:

/sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules
/sbin/e-smith/signal-event email-update

Now my clients SMTP server is restricted and permits access from their local networks and their ISP mail-relay-server only.


Solution 2:  HowTo block someone from accessing your SMTP server and sending e-mails to your users.

You simply need to create a custom smtpd_check_rules template entry named 10DenyList following these steps:

mkdir -p /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
cd /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
pico 10DenyList

Then enter the following lines replacing $EmailBlocks with a valid entry as shown below:

# Block access to the SMTP server from:
deny:ALL:$EmailBlocks:ALL

Address pattern examples:

  • ALL matches anything.
  • spamford@cyberpromo.com matches "spamford@cyberpromo.com"
  • ALL@cyberpromo.com matches any address from "cyberpromo.com"
  • *@cyberpromo.com same as above
  • ALL@*cyberpromo.com matches any address from anything ending in cyberpromo.com.
  • ALL@NS=*cyberpromo.com matches any address where the RHS uses a nameserver or MX ending in "cyberpromo.com".
  • sales@ALL matches "sales" from anywhere.
  • USER@obtuse.com The ident reply from the connecting host must be (case insensitively) the user part of the address that ends in obtuse.com.
  • /^[0-9]+@.*$/ (assuming USE_REGEX = 1 when built) Match any address that is all numbers in the user part

Then to finish simply expand the template and restart SMTP.  I choose to execute these commands:

/sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules
/sbin/e-smith/signal-event email-update