We have found that spammers, as much as 20 percent, are intentionally delivering their spam to the lower priority MX and directing it to the customers servers thus bypassing AppRiver. We highly advise using only the two MX records that AppRiver supplies. Our servers should be the only servers sending inbound mail to your server. You will need to continue to allow all Outbound SMTP connections since the outbound mail leaves directly from your server and not through AppRiver.
Note: Lotus Notes and Domino users - This issue has become especially important due to this CERT advisory (http://www.cert.org/historical/advisories/CA-2003-11.cfm).
Email Threat Protection Clients and Hosted Exchange Clients with split-domain routing
This issue affects the following:
• Most firewalls
• Exchange users
• Groupwise v6.0 and higher
• Office 365 users
(This is suggested since Office 365's default filtering will move mail to the junk mail folder. This will prevent users from having to check multiple places for mail. Additionally, having two filters running increases the likelihood of false positives.)
Network ranges to allow for inbound SMTP:
(This prevents problems with spammers attempting to deliver mail directly to the server, thus bypassing the filtering. Without this step being taken, the server would accept mail from an alternate location, and have a vulnerability.)
184.108.40.206/25 or 220.127.116.11
18.104.22.168/26 or 22.214.171.124
126.96.36.199/24 or 188.8.131.52
184.108.40.206/24 or 220.127.116.11
18.104.22.168/28 or 22.214.171.124
AppRiver Hosted Exchange (HEX) clients that use Split-Domain Routing
126.96.36.199/24 or a subnet mask of 255.255.255.0
When the AppRiver account was set up on the firewall, a specific delivery server was assigned (viewable in the Customer Portal under Email Threat Protection Admin > Server Configuration). Please ensure the specific delivery server is within the rules for your particular firewall.
Note: The following listing of firewall examples is provided for reference only and is not meant to be an all-inclusive listing of compatible firewall types. Please refer to this as a guide when making these changes, as it may vary from your system.
To limit the inbound Port 25 to AppRiver servers, login to SonicWALL and perform the following:
1. Select Network, then Address Objects, and then click Add Address Objects.
2. In the Edit Address Object menu, set Zone Assignment as WAN, set Type as Host, enter the server name and IP Address per the table listed above, and click OK. Click the Add button and repeat until all servers have been entered.
3. Select Network, then Address Objects, and then click Add Group.
4. Name the group appriver servers, select the server names created in Step 2 on the left side of the Edit Address Object Group menu, click the right arrow (->) button to assign the selected servers to the new group on the right side, and click OK.
5. Select Network, then Services, and then click Add Services.
6. Assign the service as follows:
• Name: appriver
• Protocol: TCP
• Port Range (Start and End): 25
7. Select Network, then NAT Policies to set the external IP to use the service created in Step 6 for port 25 and click OK. Note: The Translated Destination: is the address object that contains the private IP address of your exchange server; the Original Service: is the service created in Step 6.
8. Select Firewall, then Access Rules, set the From/To as WAN to LAN, and then click Add to add a new rule that will limit only the servers to port 25. Note: The Service: is the service created in Step 6; the Source: is the address object created in Step 4.
If you do not have a firewall, most mail server platforms have ways of limiting which IP addresses have permission to connect to your server’s SMTP service. We advise that the traffic be limited from your firewall. If you cannot do this, you may use the examples below to limit it from your mail server. Do not forget to include your firewall or other external devices that connect to your server.
Exchange 2000 & 2003
Click here to view the Limit SMTP Exchange 2000 - 2003 tutorial video. This video will guide you through a step-by-step procedure on how to configure Exchange 2000/2003 and limit Simple Mail Transfer Protocol (SMTP). Once you view the video, you are ready to configure your Exchange 2000/2003 mail server.
1. Open the Exchange System Manager.
2. Navigate to the Default SMTP Virtual Server folder. From here, right-click the folder and select Properties.
3. Within the Default SMTP Virtual Server Properties pop-up window, click the Access tab and the Connection Control button.
4. From here, you will add the above IPs and subnet ranges. Select the Only the list below option button, and then add the listed IPs and subnet ranges.
5. Each entry should be added as a single computer.
6. Please restart SMTP for the changes to occur.
Exchange 2007 & 2010
Click here to view the Limit SMTP Exchange 2007 - 2010 tutorial video. This video will guide you through a step-by-step procedure on how to configure Exchange 2007/2010 and limit Simple Mail Transfer Protocol (SMTP). Once you view the video, you are ready to configure your Exchange 2007/2010 mail server.
1. Open the Exchange Management Console.
2. Navigate to: Server Configuration / Hub Transport / Default Receive Connector / Properties / Network tab.
3. Locate the Receive mail from remote server with IP screen.
4. By default, the rule is: 0.0.0.0 to 255.255.255.255. Remove the default and add the list of AppRiver provided IP addresses and subnet ranges into these fields.
5. Stop and restart the MSExchangeTransport service on the HUB transport server(s).
For Exchange 2013, the Exchange Management Console has been replaced with a Web-based Exchange Administration Center (EAC). Procedures for how to configure Exchange 2013 to limit Simple Mail Transfer Protocol (SMTP) are provided:
1. From the EAC, click mail flow.
2. On the Mail Flow menu, click receive connectors, then select Default Frontend MAIL, and finally click the edit icon.
3. On the Default Frontend MAIL menu, click scoping, and then select the default IP addresses (0.0.0.0-255.255.255.255) under the *Remote network settings menu.
4. Click the delete icon to remove the default IP addresses and click the new icon to add the list of AppRiver provided IP addresses into the field.
5. Enter one of the AppRiver provided IP addresses to allow for inbound SMTP into the field and click save. Click the new icon and repeat Step 5 until all provided IP addresses have been added.
6. On the Default Frontend MAIL menu, click save and then exit the EAC.
1. Within the Internet Mail Service Properties pop-up window, click the Connections tab in the Accept Connections area.
2. Click the Only from hosts using: option button, and then select Authentication as the option.
3. Click the Hosts... button, and then enter the above IP addresses. When done, click the OK button.
4. Stop and restart the services.
Groupwise v6.0 and Higher
1. Edit the properties of the GWIA object.
2. Select the Access Control tab.
3. Create a new class of service and set it to Prevent incoming messages.
4. Create the following exceptions in the Allow messages from box: *@*.*.
• IP address of your mail host
• DNS hostname of your mail host
5. Exit and restart the GWIA.
If you have a firewall, you can allow SMTP traffic only from a specific site. Please use the following steps for the workaround:
1. Turn on Allow incoming messages for the SMTP Incoming settings, which is in the GWIA Access Control, Default Class of Service.
2. Place GWIA inside the firewall with a private address, and a public address on the firewall with NAT translating the public address to the private address.
3. Create a filter on the firewall to only allow traffic to this public address and Port 25 (SMTP port), from the specific host's IP address. This will allow only mail from this IP address, and not from any other host, or IP address.
Note: This is actually a better solution than having GWIA accept and reject traffic. Basically, the only host that can attach to the GWIA is the host specified in the firewall exception.
Mac OS X Server for v10.4 or later
To restrict SMTP relay:
1. In Server Admin, select Mail in the Computers & Services pane.
2. Click Settings.
3. Select the Relay tab.
4. Select the Accept SMTP relays only from these hosts and networks check box.
5. Edit the list of hosts.
6. Click the Add (+) button to add a host to the list. (This is where you will add the above.)
• Click the Add (+) button to add a host to the list. (This is where you will add the above list of AppRiver Delivery Servers).
• Click the Remove (-) button to delete the currently-selected host from the list.
• Click the Edit (/) button to change the currently-selected host from the list.
Note: For more detailed information on your Mac OS X Server settings, see the following link:
http://manuals.info.apple.com/en_US/Mail_Service_v10.4.pdf (Page 46)
SmartMail v3.x and Higher
To configure SmarterMail that only accepts e-mail from your SPAM filtering server, please block the entire Internet with the exception of the IP (or IP range) of your SPAM filter server, as an example: 10.1.1.4.
1. Create two blocked lists for the range between 188.8.131.52 - 10.1.1.3 and the other from 10.1.1.5 - 255.255.255.255.
2. In order to configure the blocked list, use the following steps:
• Login as SysAdm.
• Navigate to Security/BlockedList/AllowedList.
• Add an allowed list with this range: 184.108.40.206 - 10.1.1.3.
• Add another blocked list with this range: 10.1.1.5 - 255.255.255.255.
• Add another blocked list with this range: 10.1.1.5 - 255.255.255.255.
3. You will also need to configure the Alternate SMTP Submission Port, which will allow your users to relay mail through the SmarterMail server.
4. In order to configure the Alternate SMTP Submission IP:Port, use the following steps:
• Login as SysAdmin.
• Navigate to Settings/Protocol Settings/SMTP In.
• Set the Submission IP: Port to an IP on your server and Port 587.
5. If it is not possible for you to use Port 587, then use Port 25. From here, you will need to utilize another IP that is on the server. Set the Submission IP: Port’s IP to the available IP, i.e., 10.1.1.5.
6. From here, you should create a record for your new incoming (Relay only) IP as an example: smtp.domain.com at 10.1.1.5.
7. If you try to use the IP 10.1.1.4 on Port 25 as your alternate submission port, your SmarterMail server will stop receiving mail because all incoming mail would require SMTP Authentication.
8. In order to configure the Submission IP:Port, use the following steps:
• Login as SysAdmin.
• Navigate to Settings, Protocol Settings, and SMTP In.
• Set the Submission IP: Port to 10.1.1.5 on Port 25.
• Click Save. Even though 10.1.1.5 has been blocked, this will work since SMTP alternate port submission supersedes the blocked list.
1. Log into portal.microsoftonline.com as a Global Administrator, and then click service settings.
2. Click manage additional settings in the Exchange admin center.
3. Click mail flow, and then click rules.
4. Click the + symbol to create a new rule then choose Bypass Spam Filtering from the drop-down menu and enter the data below into the appropriate field then click Save. After you click Save, you should see the below screenshot.
Name: AppRiver Email Threat Protection Filtering
Apply this rule if: The sender… > Ip address is in any of these ranges or exactly matches
Specify IP address ranges (You must click the plus sign after each entry):
Do the following: (Should already be set) Modify the message properties > set the spam confidence level to (SCL) -1
Choose a mode for this rule: Enforce
Comments: This rule must remain in place to allow traffic to bypass Office 365 filtering.
5. The AppRiver Email Threat Protection Filtering rule is now in place and being enforced.
AppRiver is also available to review your settings, which will ensure that you have the most optimal spam filtering tests enabled. If you need any additional support, please contact email@example.com.
We have several customers that do not have this setting in place. Therefore, they are receiving dictionary attacks against their server, in which spammers are trying to harvest valid addresses. These dictionary or VRFY command / query attacks will cause the SMTP service on the server to time out during the constant stream of lookups that can last hours or sometimes days depending on the number of valid hits they get. Customers that have the limits above in place will not have this problem.