You are here:

Home > Support > Technical Documents > Locking down your SMTP server when using the Bytemark anti-spam service

Print this page

Technical Documents

Locking down your mail server

Our anti-spam service filters email for your domains, and delivers is to your normal mail server.

It works well and flexibly, but it can only filter email that it receives. Some spammers are will try to deliver to your old MX records, or to your web site address. Such email cannot be caught by our system, and so you will still see this spam.

To stop sneaky backdoor delivery, you will need to lock down your normal mail server such that only Bytemark is allowed to deliver to it. That way, you know the only email your server is receiving has been filtered properly.

However you should really make sure that you wait 3-4 weeks from changing any MX records to locking down your server, since your old MX records may persist longer than you expect, and you may end up blocking legitimate email.

The theory: in brief

You need to make sure that email coming into your mail server satisfies one of two conditions:

  1. It has arrived from one of Bytemark’s anti-spam servers’ authorised IP addresses.
  2. It has been authenticated, i.e. one of your users has supplied a username and password to your mail server in order to use your server for forwarding

The IP ranges from which Bytemark will forward email are:

  • 89.16.184.144/28
  • 89.16.176.76
  • 89.16.176.77

See below for some ideas on how to implement this.

The easy way: firewalling

The simplest way to implement this is to use a packet filter.

The following simple shell script will implement this policy, assuming you have no existing firewall.

ips="
  89.16.184.144/28 
  89.16.176.76 
  89.16.176.77 
  127.0.0.1
"

iptables -N smtp-in
iptables -A INPUT -p tcp --dport 25 -j smtp-in
for ip in $ips ; do
  iptables -A smtp-in -s $ip -j ACCEPT
done
iptables -A smtp-in -j REJECT

Please note that this simple approach will involve two potential compromises on the administrator’s part:

  1. it will stop anyone wanting to use your mail server for authenticated SMTP.
  2. it assumes that all mail for all domains on your server is being filtered by Bytemark – other email will be blocked.

However it is very simple and totally secure.

The harder way: tell the policy to your mail transfer agent

The no-compromise approach to locking down your mail server is to tell your mail transfer agent (i.e. exim, qmail, postfix) about your policy.

At present we have a largely untested script for qmail, and no advice for other MTAs as yet. However I would welcome input from customers on this issue!

Selected tags
  • Security [X]
  • VirtualMachine [X]
More tags (see all)

“Thank you so much for all your help with the server. We handled 6 times our normal traffic with absolutely no slowdown. I really appreciate all the help and advice you guys gave at such short notice and how quickly you got the new server going. Could have been a bit of a disaster without it! I'll most definitely be recommending you to anyone who's looking for hosting in the future.”

Nick Mason
Age Of Stupid

Built by handBuilt by hand

Because we build our servers by hand, you get high power, low cost, and excellent build quality.

Our hand-built approach >>

The TeamThe Team

Find out about the experienced and excellent staff who make up the Bytemark team.

Our team >>

Control Panel

News from our company, and our opinions on emerging technologies.

Our blog >>