You are here:

Home > Support > Technical Documents > Locking down your SMTP server when using the Bytemark anti-spam service

Print this page

Technical Documents

Locking down your mail server

Our anti-spam service filters email for your domains, and delivers is to your normal mail server.

It works well and flexibly, but it can only filter email that it receives. Some spammers are will try to deliver to your old MX records, or to your web site address. Such email cannot be caught by our system, and so you will still see this spam.

To stop sneaky backdoor delivery, you will need to lock down your normal mail server such that only Bytemark is allowed to deliver to it. That way, you know the only email your server is receiving has been filtered properly.

However you should really make sure that you wait 3-4 weeks from changing any MX records to locking down your server, since your old MX records may persist longer than you expect, and you may end up blocking legitimate email.

The theory: in brief

You need to make sure that email coming into your mail server satisfies one of two conditions:

  1. It has arrived from one of Bytemark’s anti-spam servers’ authorised IP addresses.
  2. It has been authenticated, i.e. one of your users has supplied a username and password to your mail server in order to use your server for forwarding

The IP ranges from which Bytemark will forward email are:

  • 89.16.184.144/28
  • 89.16.176.76
  • 89.16.176.77

See below for some ideas on how to implement this.

The easy way: firewalling

The simplest way to implement this is to use a packet filter.

The following simple shell script will implement this policy, assuming you have no existing firewall.

ips="
  89.16.184.144/28 
  89.16.176.76 
  89.16.176.77 
  127.0.0.1
"

iptables -N smtp-in
iptables -A INPUT -p tcp --dport 25 -j smtp-in
for ip in $ips ; do
  iptables -A smtp-in -s $ip -j ACCEPT
done
iptables -A smtp-in -j REJECT

Please note that this simple approach will involve two potential compromises on the administrator’s part:

  1. it will stop anyone wanting to use your mail server for authenticated SMTP.
  2. it assumes that all mail for all domains on your server is being filtered by Bytemark – other email will be blocked.

However it is very simple and totally secure.

The harder way: tell the policy to your mail transfer agent

The no-compromise approach to locking down your mail server is to tell your mail transfer agent (i.e. exim, qmail, postfix) about your policy.

At present we have a largely untested script for qmail, and no advice for other MTAs as yet. However I would welcome input from customers on this issue!

Selected tags
  • Email [X]
  • Spam [X]
More tags (see all)

“It gets old, really. Bytemark just doesn't give us things to complain about.”

Matt Jadud
Untyped Ltd.

Control Panel

A 4GiB dedicated server with RAID1 for £69.00 per month - control and isolation for less!

Dedicated servers>>

forumForum

Discuss server, system administration and hosting problems on our customer forum.

Forum >>

ExtrasThe Team

You get more than just a server - our free extras give you a robust hosting service.

Extras >>