You are here:Home > Support > Technical Documents > Locking down your SMTP server when using the Bytemark anti-spam service
Locking down your mail server
Our anti-spam service filters email for your domains, and delivers is to your normal mail server.
It works well and flexibly, but it can only filter email that it receives. Some spammers are will try to deliver to your old MX records, or to your web site address. Such email cannot be caught by our system, and so you will still see this spam.
To stop sneaky backdoor delivery, you will need to lock down your normal mail server such that only Bytemark is allowed to deliver to it. That way, you know the only email your server is receiving has been filtered properly.
However you should really make sure that you wait 3-4 weeks from changing any MX records to locking down your server, since your old MX records may persist longer than you expect, and you may end up blocking legitimate email.
The theory: in brief
You need to make sure that email coming into your mail server satisfies one of two conditions:
- It has arrived from one of Bytemark’s anti-spam servers’ authorised IP addresses.
- It has been authenticated, i.e. one of your users has supplied a username and password to your mail server in order to use your server for forwarding
The IP ranges from which Bytemark will forward email are:
See below for some ideas on how to implement this.
The easy way: firewalling
The simplest way to implement this is to use a packet filter.
The following simple shell script will implement this policy, assuming you have no existing firewall.
ips=" 126.96.36.199/28 188.8.131.52 184.108.40.206 127.0.0.1 " iptables -N smtp-in iptables -A INPUT -p tcp --dport 25 -j smtp-in for ip in $ips ; do iptables -A smtp-in -s $ip -j ACCEPT done iptables -A smtp-in -j REJECT
Please note that this simple approach will involve two potential compromises on the administrator’s part:
- it will stop anyone wanting to use your mail server for authenticated SMTP.
- it assumes that all mail for all domains on your server is being filtered by Bytemark – other email will be blocked.
However it is very simple and totally secure.
The harder way: tell the policy to your mail transfer agent
The no-compromise approach to locking down your mail server is to tell your mail transfer agent (i.e. exim, qmail, postfix) about your policy.
At present we have a largely untested script for qmail, and no advice for other MTAs as yet. However I would welcome input from customers on this issue!