How to Configure Exim to receive email for domain only from specific IP addresses

Print Friendly

This article describes one way to limit incoming SMTP connections for specific domains to a list of specific safe relay IP addresses. Let’s suppose that you have a domain, mydomain.com – and you want to filter all email for this domain via an external host – lets call it filtermail.com.

You would typically set the MX records for mydomain.com to point to in.filtermail.com as follows:

mydomain.com. 14400 IN MX 10 in.filtermail.com.

And, presumably, you would configure filtermail.com to send your sanitised, cleaned mail back to mail.yourdomain.com and set your exim config to accept all mail locally for your domain. Great, so now you are happily filtering your mail for spam – but wait… some sneaky monkey decides to try sending spam directly to mail.mydomain.com, and your exim happily receives it, because exim isn’t aware of the DNS settings, and doesn’t know any better.

So, we need to tell exim NOT to accept any mail for mydomain.com UNLESS it is coming from, lets say for the sake of argument, out.filtermail.com. Let’s say that out.filtermail.com has an IP address of 194.189.242.1.

Build the safe lists

The first thing we want to do is create a couple of files. One to contain the names of the domains we want to restrict, and a second list, showing the IP address(es) of the approved relays (i.e. the IP addresses of the filtermail.com machines that will be sending out cleaned mail back to us).

Let’s call the first file /etc/filterdomains – this will contain the list of domains we want to filter, and have set up the special MX records for. It is just a list of domain names (one per line):

mydomain.com
anotherdomain.com
and-so-on.com

The second file we will call /etc/filterrelays – this will contain a line separated list of the safe relay IP addresses – which might look like this:

194.189.242.1
194.189.242.2

Modify exim.conf

Firstly, if you are using WHM, then just use the advanced Exim Configuration editor to make these changes and they “should” stick. It would be a good idea to take a copy of all /etc/exim* files first, just in case you make a hash of it!

OK, now we are in the bear pit. We need to add a couple of definitions at the top of the exim.conf file as follows :

hostlist filter_relays = net-lsearch;/etc/filterrelays : net-lsearch;/etc/relayhosts
domainlist filter_domains = lsearch;/etc/filterdomains

Then, we are looking for the check_recipient: block and shortly after that there should be a line :

accept  hosts = :

Then, following this line, you can add the following :

deny
!hosts = +filter_relays
domains = +filter_domains
message = Please use the proper domain MX record

Once you have done this, restart Exim using either

/etc/init.d/exim restart

or if you are running WHM you can run

/scripts/restartsrv_exim

And if everything is well you should find that mail for the domains in /etc/filterdomains will only be accepted from your mail filtering service IP addresses, keeping the cheaky monkeys out!

Notes on usage

Again, this was done using exim4 under the WHM 11.25.* environment on CentOS. Always test things like this in a safe environment, not your production servers. Use of this information is don so entirely at your own risk!

Tags: , ,

5 Responses to “How to Configure Exim to receive email for domain only from specific IP addresses”

  1. Stuart Ryan January 20, 2014 at 8:43 am #

    Heya,
    Thanks for the great article, just a slight modification to that which I have put together:

    ———————————————————-
    accept authenticated = *

    deny
    !hosts = +filter_relays
    domains = +filter_domains
    message = Please use the proper domain MX record

    ———————————————————-

    Reasoning behind this was that I still wanted to use the machine as an SMTP server for outgoing connections for my mail on a filtered domain. Works a charm so long as you use SMTP authentication for outgoing mail.

    • Stuart Ryan August 23, 2014 at 11:19 am #

      All righty, a slight modification to my above modification.

      This gets around an issue where the original block did not accept things from mailman (i.e. localhost was not permitted and would not work by simply adding localhost or 127.0.0.1 to the filterrelays file).

      ———————————————————-
      accept authenticated = *

      deny
      !hosts = +filter_relays
      !hosts = +loopback
      domains = +filter_domains
      message = Please use the proper domain MX record
      ———————————————————-

      Just in case this is useful for anyone :)
      Stuart

  2. Keven Webb October 26, 2010 at 11:34 pm #

    I found that I need a slight variation of this technique

    In the hostlist filter_relays entry, I used: net-lsearch;/etc/filterrelays : net-lsearch;/etc/relayhosts : /etc/filternets

    The last grouping (/etc/filternets) has no “search type” and, therefore, allows for subnet ranges.

    For Postini (which uses a range of IP addresses), I needed
    64.18.0.0/20
    on a line in /etc/filternets.

    Thanks for getting this documented.

    • steve October 27, 2010 at 7:04 am #

      Thanks Keven – that’s a useful tip, which actually answers something I was going to be looking at shortly – great timing!

Trackbacks/Pingbacks

  1. Stop Incoming Email Except from External Spam Filter - cPanel Forums - March 27, 2010

    […] […]

Leave a Reply

Bot test *