|
|
|
|
|
How to Restrict which Mail-Servers your Exchange Server will Accept
Email From
Normally, mail-servers have to accept connections from every
mail-server on the Internet that wants to send something to them.
An Anti-spam system on the mail-server may then decline to accept emails
from particular servers if it considers the email to be spam, to contain a
virus or to otherwise be undesirable.
If you are using Arrowmail to filter all your company's incoming
email then you want your server to accept email only from our servers.
Doing this will make your network more secure and lessen the load on
your mail-server.
Method 1: Using Your Internet Router
To enable your mail-server to accept emails from the Internet, you
will have already set a Port Forwarding rule on your Internet router.
This means that any Internet mail-server attempting to connect to your router
on TCP Port 25 - the port used for transferring emails - will be
"forwarded" to you internal mail-server which, otherwise, will not be
directly contactable from the Internet.
The best way to restrict your mail-server to accepting connections from
only our servers is to modify the existing
port-forwarding rule.
The image below shows the correct
port-forwarding rule setup on a Netgear router to only accept
mail-server connections from Arrowmail:-
|
|
 |
192.168.0.5 is the IP address of the internal mail-server - yours is
likely to be different.
83.245.15.239 is the correct IP address to use for our server which
will be sending email to you.
If you have other offices or people's homes that need to connect to
Exchange over the Internet
using SMTP you will have to add additional, similar firewall rules to
include these Public IP address.
(Remote email access is usually achieved using Outlook Web Access or
Outlook Anywhere which do not use SMTP.)
Method 2: Adding a Restriction to Exchange's Virtual SMTP Server
With some routers, the port-forwarding rules are "all or nothing", so
the above method won't work.
To stop Exchange accepting all incoming connections, open Exchange System Manager and navigate to the Default
SMTP Virtual Server and right-click - Properties - as shown
below.
|
|
 |
|
You may have additional SMTP Connectors configured but these are for
outgoing email only - the Default SMTP Virtual Server
deals with all incoming email.
On the Access tab click the Connection… button and click Add… and add a
Single
computer with the IP address 83.245.15.239
Normal
Outlook clients don't connect using SMTP, but any email clients that use a
POP3 or IMAP email account will also need to connect to the Default
SMTP Virtual Server so you may need to add other entries to the list
of IP addresses allowed to connect, such as a
Group of computers
which represents the address of your internal LAN.
An example is shown
below:-
|
|
|
 |
|
You might have other offices or people's homes that need to connect,
using SMTP, over the Internet, so,
as long as they use static IP addresses,
these Public IP address will also need to be added.
This method is not as good as the Router method because the disallowed
traffic from other mail-servers travels right up to your Exchange server
before being refused, rather than being stopped before it gets to your
internal network.
Both the Modified Port-Forwarding and Default SMTP Virtual
Server Restriction methods are easy to reverse if you ever decide to
go back to receiving your own email directly again.
Allow Our Servers to Relay Email Through Your Exchange Server
Allowing your server to relay email is very bad.
Spammers scour the Internet searching for such mail-servers.
Relaying means accepting email from the Internet for final recipients
who are not on your system. Your server then has to send it back out
onto the Internet to its final destination.
When a spammer finds such a mail-server, they sent it 1000s of
emails, each with 100s of different recipients.
With such a mass of spam coming from your server, it slows to a
crawl, your Internet bandwidth is used up, you get blacklisted so no one
will accept any emails from you and your ISP threatens to cut you off.
Even today, this happens all the time, so lets start by checking that
your Exchange server is not set to relay:-
Open Exchange System Manager and navigate to the Default
SMTP Virtual Server and right-click - Properties
This time go to the Access tab and click the Relay…
button:-
|
|
|
 |
|
It's not uncommon for users on an Exchange server to have several
different email addresses, often completely different ones.
Exchange considers it to be relaying if it accepts email for addresses
other than ones at it's main email domain, even when these
addresses are set as aliases for local users.
If all your company's email is coming through Arrowmail's server for
virus and spam processing then you're probably going to have configure
your Exchange server to allow our server's IP address to relay email.
This is how it should look:-
|
|
|
 |
|
You should also leave that box ticked that allows anyone who can provide a
valid username and password to also be able to relay.
This would be
required when your users send emails using a different From address to their
main email address, which is quite a common thing users want to do.
^ Top of Page^
|
|
If you prefer, you can, instead, email your comments to
support@arrowmail.co.uk
^ Top of Page ^
|
|
| |
Arrowmail is owned and operated by
Rhebus Limited, a UK-registered company, number 4079706.
We welcome any comments about this website, good or bad. Send them to
webmaster@arrowmail.co.uk
|
|
