Limiting Inbound SMTP Traffic from AppRiver Servers

Note:  Please do not make any of the changes listed below if you have backup MX records that point directly to your mail server and bypass AppRiver. If you plan to remove your backup MX records, please allow at least 1 week for all Internet caches to clear before making the below changes.

ISSUE:
AppRiver has found that spammers, as much as 20 percent, are intentionally delivering their spam to the lower priority MX and directing it to the customers servers thus bypassing AppRiver.  We highly advise using only the two MX records that AppRiver supplies. AppRiver's servers should be the only servers sending inbound mail to your server. You will need to continue to allow all Outbound SMTP connections since the outbound mail leaves directly from your server and not through AppRiver.

Note: Lotus Notes and Domino users - This issue has become especially important due to this CERT advisory (http://www.cert.org/historical/advisories/CA-2003-11.cfm).

AFFECTED CUSTOMERS:
AppRiver SecureTide® Clients and Hosted Exchange Clients with split-domain routing

This issue affects the following:

  •  Most firewalls

  •  Exchange 2000, 2003, 2007, 2010, and 2013 users

  •  Groupwise v6.0 and higher 

SOLUTION:

Network ranges to allow for inbound SMTP

5.152.184.128/25 or 5.152.184.128 with subnet mask 255.255.255.128
5.152.185.128/26 or 5.152.185.128 with subnet mask 255.255.255.192
8.19.118.0/24 or 8.19.118.0 with subnet mask 255.255.255.0
8.31.233.0/24 or 8.31.233.0 with subnet mask 255.255.255.0
72.32.252.0/24 or 72.32.252.0 with subnet mask 255.255.255.0
74.205.4.0/24 or 74.205.4.0 with subnet mask 255.255.255.0
207.97.230.0/24 or 207.97.230.0 with subnet mask 255.255.255.0
207.97.242.0/24 or 207.97.242.0 with subnet mask 255.255.255.0
69.20.58.224/28 or 69.20.58.224 with subnet mask 255.255.255.240
69.20.68.128/29 or 69.20.68.128 with subnet mask 255.255.255.248
98.129.58.224/27 or 98.129.58.224  with subnet mask 255.255.255.224


AppRiver Hosted Exchange (HEX) clients that use Split-Domain Routing

HEX customers on EXG7            204.232.250.0  /24 or a subnet mask of 255.255.255.0
 

FIREWALLS:

When the AppRiver account was setup on the firewall, a specific delivery server was assigned (viewable under account details). Please ensure the specific delivery server is within the rules for your particular firewall.

Note: The following listing of firewall examples is provided for reference only and is not meant to be an all-inclusive listing of compatible firewall types. Please refer to this as a guide when making these changes, as it may vary from your system.

Dell SonicWALL

To limit the inbound Port 25 to AppRiver servers, login to SonicWALL and perform the following:

1. Select Network, then Address Objects, and then click Add Address Objects.
2. In the Edit Address Object menu, set Zone Assignment as WAN, set Type as Host, enter the server name and IP Address per the table listed above, and click OK.  Click the Add button and repeat until all servers have been entered.



3. Select Network, then Address Objects, and then click Add Group.
4. Name the group appriver servers, select the server names created in Step 2 on the left side of the Edit Address Object Group menu, click the right arrow (->) button to assign the selected servers to the new group on the right side, and click OK.

 


5. Select Network, then Services, and then click Add Services.
6. Assign the service as follows:

  •  Name: appriver

  •  Protocol: TCP

  •  Port Range (Start and End): 25


7. Select Network, then NAT Policies to set the external IP to use the service created in Step 6 for port 25 and click OK. Note: The Translated Destination: is the address object that contains the private IP address of your exchange server; the Original Service: is the service created in Step 6.

 



8. Select Firewall, then Access Rules, set the From/To as WAN to LAN, and then click Add to add a new rule that will limit only the AppRiver servers to port 25. Note: The Service: is the service created in Step 6; the Source: is the address object created in Step 4.



If you do not have a firewall, most mail server platforms have ways of limiting which IP addresses have permission to connect to your server’s SMTP service. AppRiver advises that the traffic be limited from your firewall. If you cannot do this, you may use the examples below to limit it from your mail server. Do not forget to include your firewall or other external devices that connect to your server.

MAIL SERVERS

Exchange 2000 & 2003

Click here to view the Limit SMTP Exchange 2000 - 2003 tutorial video. This video will guide you through a step-by-step procedure on how to configure Exchange 2000/2003 and limit Simple Mail Transfer Protocol (SMTP). Once you view the video, you are ready to configure your Exchange 2000/2003 mail server.

1. Open the Exchange System Manager.
2. Navigate to the Default SMTP Virtual Server folder. From here, right-click the folder and select Properties.
3. Within the Default SMTP Virtual Server Properties pop-up window, click the Access tab and the Connection Control button.
4. From here, you will add the above IPs and subnet ranges. Select the Only the list below option button, and then add the listed IPs and subnet ranges.
5. Each entry should be added as a single computer.
6. Please restart SMTP for the changes to occur. 

Exchange 2007 & 2010

Click here to view the Limit SMTP Exchange 2007 - 2010 tutorial video. This video will guide you through a step-by-step procedure on how to configure Exchange 2007/2010 and limit Simple Mail Transfer Protocol (SMTP). Once you view the video, you are ready to configure your Exchange 2007/2010 mail server.

1. Open the Exchange Management Console.
2. Navigate to: Server Configuration / Hub Transport / Default Receive Connector / Properties / Network tab.
3. Locate the Receive mail from remote server with IP screen.
4. By default, the rule is: 0.0.0.0 to 255.255.255.255. Remove the default and add the list of AppRiver provided IP addresses and subnet ranges into these fields.
5. Stop and restart the MSExchangeTransport service on the HUB transport server(s).

Exchange 2013

For Exchange 2013, the Exchange Management Console has been replaced with a Web-based Exchange Administration Center (EAC). Procedures for how to configure Exchange 2013 to limit Simple Mail Transfer Protocol (SMTP) are provided:

1. From the EAC, click mail flow.



2. On the Mail Flow menu, click receive connectors, then select Default Frontend MAIL, and finally click the edit  icon.




3. On the Default Frontend MAIL menu, click scoping, and then select the default IP addresses (0.0.0.0-255.255.255.255) under the *Remote network settings menu.

 

4. Click the delete  icon to remove the default IP addresses and click the new  icon to add the list of AppRiver provided IP addresses into the field.



5. Enter one of the AppRiver provided IP addresses to allow for inbound SMTP into the field and click save. Click the new icon and repeat Step 5 until all provided IP addresses have been added.



6. On the Default Frontend MAIL menu, click save and then exit the EAC.

Exchange v5.5

1. Within the Internet Mail Service Properties pop-up window, click the Connections tab in the Accept Connections area.
2. Click the Only from hosts using: option button, and then select Authentication as the option.
3. Click the Hosts... button, and then enter the above IP addresses. When done, click the OK button.
4. Stop and restart the services. 

Groupwise v6.0 and Higher

1. Edit the properties of the GWIA object.
2. Select the Access Control tab.
3. Create a new class of service and set it to Prevent incoming messages
4. Create the following exceptions in the Allow messages from box:  *@*.*.

  •  IP address of your mail host

  •  DNS hostname of your mail host

  •  Blank-Sender-User-ID 

5. Exit and restart the GWIA.  

Groupwise Workaround

If you have a firewall, you can allow SMTP traffic only from a specific site. Please use the following steps for the workaround:

1. Turn on Allow incoming messages for  the SMTP Incoming settings, which is in the GWIA Access Control, Default Class of Service.
2. Place GWIA inside the firewall with a private address, and a public address on the firewall with NAT translating the public address to the private address.
3. Create a filter on the firewall to only allow traffic to this public address and Port 25 (SMTP port), from the specific host's IP address. This will allow only mail from this IP address, and not from any other host, or IP address.

Note: This is actually a better solution than having GWIA accept and reject traffic. Basically, the only host that can attach to the GWIA is the host specified in the firewall exception.

Mac OS X Server for v10.4 or later

To restrict SMTP relay:

1.  In Server Admin, select Mail in the Computers & Services pane.
2.  Click Settings.
3.  Select the Relay tab.
4.  Select the Accept SMTP relays only from these hosts and networks check box.
5.  Edit the list of hosts.
6.  Click the Add (+) button to add a host to the list.  (This is where you will add the above.)

  •  Click the Add (+) button to add a host to the list. (This is where you will add the above list of AppRiver Delivery Servers).

  •  Click the Remove (-) button to delete the currently-selected host from the list.

  •  Click the Edit (/) button to change the currently-selected host from the list.



Note: For more detailed information on your Mac OS X Server settings, see the following link:

http://manuals.info.apple.com/en_US/Mail_Service_v10.4.pdf (Page 46)


SmartMail v3.x and Higher
 

To configure SmarterMail that only accepts e-mail from your SPAM filtering server, please blacklist the entire Internet with the exception of the IP (or IP range) of your SPAM filter server, as an example: 10.1.1.4.

1. Create two blacklists for the range between 1.1.1.1 - 10.1.1.3 and the other from 10.1.1.5 - 255.255.255.255.
2. In order to configure the blacklist, use the following steps:  

  •  Login as SysAdm.

  •  Navigate to Security/Blacklist/Whitelist.

  •  Add a Blacklist with this range: 1.1.1.1 - 10.1.1.3.

  •  Add another Blacklist with this range: 10.1.1.5 - 255.255.255.255.

  •  Add another Blacklist with this range: 10.1.1.5 - 255.255.255.255.

3. You will also need to configure the Alternate SMTP Submission Port, which will allow your users to relay mail through the SmarterMail server. 
4. In order to configure the Alternate SMTP Submission IP:Port, use the following steps:

  •  Login as SysAdmin.

  •  Navigate to Settings/Protocol Settings/SMTP In.

  •  Set the Submission IP: Port to an IP on your server and Port 587.

5. If it is not possible for you to use Port 587, then use Port 25. From here, you will need to utilize another IP that is on the server. Set the Submission IP: Port’s IP to the available IP, i.e., 10.1.1.5.
6. From here, you should create an a record for your new incoming (Relay only) IP as an example: smtp.domain.com at 10.1.1.5.
7. If you try to use the IP 10.1.1.4 on Port 25 as your alternate submission port, your SmarterMail server will stop receiving mail because all incoming mail would require SMTP Authentication.
8. In order to configure the Submission IP:Port, use the following steps:

  •  Login as SysAdmin.

  •  Navigate to Settings, Protocol Settings, and SMTP In.

  •  Set the Submission IP: Port to 10.1.1.5 on Port 25.

  •  Click Save. Even though 10.1.1.5 is blacklisted, this will work since SMTP alternate port submission supersedes Blacklisting.

ADDITIONAL SUPPORT:

AppRiver is also available to review your settings, which will ensure that you have the most optimal spam filtering tests enabled. If you need any additional support, please contact support@appriver.com.

ADDITIONAL NOTES:

We have several customers that do not have this setting in place. Therefore, they are receiving dictionary attacks against their server, in which spammers are trying to harvest valid addresses. These dictionary or VRFY command / query attacks will cause the SMTP service on the server to time out during the constant stream of lookups that can last hours or sometimes days depending on the number of valid hits they get. Customers that have the limits above in place will not have this problem.

 

Add Feedback