[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Refuse mail from hosts with closed port 25
From:       Stephen Satchell <list () satchell ! net>
Date:       2019-09-16 17:22:07
Message-ID: d1c6ef50-6e17-b7a3-a730-b79fcf6ab2ea () satchell ! net
[Download RAW message or body]

+1

Back when I was a Web Hosting monkey, I had something like 23 separate
mail servers (Plesk/qmail and CPanel/exim) trying to send mail to the
world.  After some of the servers getting blacklisted for one reason or
another, I decided to use a pair of Postfix servers to send outgoing mail.

Incoming mail was directed to another pair of Postfix servers, which
then distributed the mail internally after running it all through
Spamassassin.

The domain MX records pointed to the inbound servers.  The firewall on
the outbound servers did not allow port 25 connections from IP addresses
outside of our assigned netblocks.  I believe that the return was
"administratively prohibited", not dead air.

Why did I do this?  Traffic management and spam control to the large
mail providers -- Google, AOL, Yahoo, and about five others.  The
centralized spam control made management far easier for all outgoing
mail.  I also did traffic management based on the reports to my abuse
address.  All this work cut down on complaints, and the company fell off
a lot of DNSBLs.

The individual qmail/exim MTAs ran without my worrying about security
issues or DJB weirdness.  Oh, I also had a couple of Windows web hosts,
so they came under the umbrella, satisfying my mantra of "Never expose
Windows to the bare Internet."  (Off-topic: ACLs took care of the other
usual Windows issues.)

One other caveat: the domain names for the outbound servers were "mx1"
and "mx2", while the domain name for the inbound servers were "mail1"
and "mail2".  Reverse DNS matched.

Side note: because the hosting company sold dedicated servers, we had to
block 25 outbound from the netblocks on which those servers lived.  If
they wanted to send mail outbound, they had to use the mx1 and mx2
servers as relay.  Blocked a whole lot of spam mail from compromised web
sites.  Yes, the support people has to tell some customers how to send
up "sendmail(1)" and PHPmail to do this.  Worth the pain and trouble.

(This was more than a decade ago.  I now wrangle Cisco devices and
appliances in a lab environment -- administer only one Postfix server
now, in my home network.)

On 9/16/19 7:16 AM, Bill Cole wrote:
> On 16 Sep 2019, at 9:17, Paul van der Vlis wrote:
> 
>> I guess only the big
>> providers will have different servers for inbound and outbound email,
>> and you can make a list of them.
> 
> Bad guess.
> 
> Many business email systems are architected this way for security
> purposes (e.g. Exchange is fine for sending mail out but you really
> don't want it accepting email from the Internet directly...) This is
> especially common with older businesses who got generous IPv4
> allocations decades ago, however I have worked with mail systems serving
> less than 500 employee-users of companies with /29 allocations that have
> mail going out from a shared NAT address but coming in via a dedicated IP.
> 

[prev in list] [next in list] [prev in thread] [next in thread]