This article describes one way to limit incoming SMTP connections for specific domains to a list of specific safe relay IP addresses. Let’s suppose that you have a domain, mydomain.com – and you want to filter all email for this domain via an external host – lets call it filtermail.com.
You would typically set the MX records for mydomain.com to point to in.filtermail.com as follows:
mydomain.com. 14400 IN MX 10 in.filtermail.com.
And, presumably, you would configure filtermail.com to send your sanitised, cleaned mail back to mail.yourdomain.com and set your exim config to accept all mail locally for your domain. Great, so now you are happily filtering your mail for spam – but wait… some sneaky monkey decides to try sending spam directly to mail.mydomain.com, and your exim happily receives it, because exim isn’t aware of the DNS settings, and doesn’t know any better.
So, we need to tell exim NOT to accept any mail for mydomain.com UNLESS it is coming from, lets say for the sake of argument, out.filtermail.com. Let’s say that out.filtermail.com has an IP address of 18.104.22.168.
Build the safe lists
The first thing we want to do is create a couple of files. One to contain the names of the domains we want to restrict, and a second list, showing the IP address(es) of the approved relays (i.e. the IP addresses of the filtermail.com machines that will be sending out cleaned mail back to us).
Let’s call the first file /etc/filterdomains – this will contain the list of domains we want to filter, and have set up the special MX records for. It is just a list of domain names (one per line):
The second file we will call /etc/filterrelays – this will contain a line separated list of the safe relay IP addresses – which might look like this:
Firstly, if you are using WHM, then just use the advanced Exim Configuration editor to make these changes and they “should” stick. It would be a good idea to take a copy of all /etc/exim* files first, just in case you make a hash of it!
OK, now we are in the bear pit. We need to add a couple of definitions at the top of the exim.conf file as follows :
hostlist filter_relays = net-lsearch;/etc/filterrelays : net-lsearch;/etc/relayhosts domainlist filter_domains = lsearch;/etc/filterdomains
Then, we are looking for the check_recipient: block and shortly after that there should be a line :accept hosts = :
Then, following this line, you can add the following :deny !hosts = +filter_relays domains = +filter_domains message = Please use the proper domain MX record
Once you have done this, restart Exim using either/etc/init.d/exim restart
or if you are running WHM you can run/scripts/restartsrv_exim
And if everything is well you should find that mail for the domains in /etc/filterdomains will only be accepted from your mail filtering service IP addresses, keeping the cheaky monkeys out!
Notes on usage
Again, this was done using exim4 under the WHM 11.25.* environment on CentOS. Always test things like this in a safe environment, not your production servers. Use of this information is don so entirely at your own risk!