I would like to ask you to help me write a firewall rule to:
rule to allow incoming traffic to port 25 only from specific address
We have two MX entry with 5 and 10 priority. 5 is an external SPAM filter but unfortunatelly some spam bypass the spam filter by sending mail directly to our mail server. I need a firewall rule which only allow e-mail traffic from our spam filter and drop every other mail related traffice.
Is it possible to get an e-mail alert if this happen?
It does not make sense to me. If you don’t want anyone connecting to your mail server, why advertise it as MX? Remove it, keep only one MX pointing to your external filtering server and your problem is solved.
We are using the barracuda spam filter as a service provided by a local distributor. If anything wrong with the spam filter (failure for example) i only need to disable the rule in our router.
Where 2.3.4.5 is your server’s address and 1.2.3.4 the only allowed address. Don’t use drop, because if you’re advertising unreachable server, be at least nice enough to tell other servers immediately that it’s not available and don’t let them waste resources.
I wouldn’t try anything with e-mail alerts. With port scans running day and night, you could easily have hundereds or thousands reports every day, with no real value. And not even port scans, if you put server in MX, you must expect that others will try to connect to it. They should prefer one with lower priority and most will, but if for any reason they have trouble connecting there, they will (and should) try backup.
But you wrote “if you’re advertising unreachable server”…i don’t wanna advertising anything. I don’t know what is the best practice.
I have a third party provider who give spam filter service for us but if this spam filter goes down we need a “backup plan”. As i read somewhere is totally acceptable methode to set two MX record and the block the lowest priority with firewall or exchange connector. In that case if the spam filter failed only need to disable firewall rule which block and done.
What do you think?
I have to admit, neither I know if there’s any “official” best practice.
I would go with only one MX (external spam filtering server) and if it went down, I’d update DNS to point to my real server directly. To me, it’s the proper way.
On the other hand, it does have its downsides. It’s definitely more work than just one click to enable/disable firewall rule. It’s also not effective immediately, because it depends on TTL of your DNS records(*), how long will it take before everyone notices the change. It’s probably not critical, because mail does not get lost, mail servers try for a while before they return it to sender as undeliverable.
Your way, saing (by publishing MX records) “hey, these are servers that handle mail for my domain” and then not allowing access to some of them, does not feel right. But it is easier and won’t be a problem in most cases. So as long as you’re nice, by which I mean that you actively reject the connection, instead of just dropping packets and letting remote servers timeout, it’s probably fine, or at least acceptable.
(*) That’s another interesting topic, what is the right TTL. Opinions differ greatly, some recommend whole one day as minimum (that would not be usable for you), some say one hour is fine, others recommend 15 minutes, … In reality, most big domains seem to use one hour, but some go as low as 5 minutes. Now take your pick what is right.