Tightening Your Security

Once you've configured your domains, and waited for the DNS changes to your MX records to propagate you might consider improving the security of your mailserver.

There are several SPAM-sending hosts which will attempt to deliver email directly to the hosts listed in DNS as "A records". This means they will attempt to send mail directly to your mail-server, bypassing our filtering process.

To prevent this there are several different approaches you could take:

• Configure a Firewall
• Examing Mail Headers
• Listen upon a non-standard port

Configure A Firewall

Since all your mail should be arriving via our filtering servers you should be able to drop all incoming connections to your SMTP server on port 25, except from our hosts.

If you're using a GNU/Linux system you could accomplist this via the followign rules:

#
# Allow from our primary system.
#
#  Note this hostname may resolve to multiple IP addresses.
# iptables handles this directly.  If you are unsure please
# see our mx list.
#
iptables  -A INPUT -p tcp --dport 25 -m state --state NEW \
   -s incoming.mail-scanning.com -j ACCEPT

#
# Allow from our backup system
#
#  Note this hostname may resolve to multiple IP addresses.
# iptables handles this directly.  If you are unsure please
# see our mx list.
#
iptables  -A INPUT -p tcp --dport 25 -m state --state NEW \
   -s backup.mail-scanning.com -j ACCEPT

#
# Otherwise reject
#
iptables  -A INPUT -p tcp --dport 25 -m state --state NEW -j REJECT

Note: If you're using SMTP-authentication to send outgoing mail from your server this won't be a good idea.

Examing Mail Headers?

As documented our scanning machines will add a variety of headers to each mail that they process.

This means that any mail which you receive not containing any of our headers must have been delivered directly - and may be discarded as it comes from a non-RFC following sender.

The header X-MS.com-server and X-MS.com-version headers are good candidates to filter on - as they are guaranteed to always be present.

Listen upon a non-standard port

In order to receive mail for a domain you must have a mailserver listening upon a publically accessible internet address, and this address must be advertised via DNS.

When these two conditions are met then mailservers will know where to address their mail - the hostname advertised and the standard SMTP port 25.

If we host your incoming MX records then you shouldn't actually need to have any incoming connections to your machine - except via our servers. This means it is possible for you to configure your mailserver to listen upon a non-standard port which will allow you to avoid drive-by SMTP connections.

Providing you tell us which port(s) your server(s) are listening upon we'll still be able to deliver your mail.