Menu

#134 How to only allow connections from approved/trusted real world IPs

v1.0 (example)
open
Graeme Walker
None
5
2026-03-18
2026-03-16
DavidM
No

HI
I'm sure I should be able to set this up (Windows server 2025) but I want to only allow connections from a single trusted real world IP to the SMTP instance which then forwards the traffic to another SMTP server for distribution.

All suggestions much appreciated! Thanks.

Discussion

  • DavidM

    DavidM - 2026-03-17

    FWIW...
    In our dev set up I have set up plain text authentication which works for us as we only have one real world box connecting to our site.

    So connections which are not authnticated fail like this:

    emailrelay: 20260317.144321.786: info: 18.209.86.113;4843: smtp connection from 18.209.86.113:4843
    emailrelay: 20260317.144322.385: info: dnsbl: address [18.209.86.113] allowed by [spam.dnsbl.example.com]
    emailrelay: 20260317.144322.385: info: dnsbl: address [18.209.86.113] allowed by [block.dnsbl.example.com]
    emailrelay: 20260317.144322.385: info: tx>>: "220 smtp2.lymden-lodge.net -- E-MailRelay V2.6.1 -- Service ready"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: rx<<: "EHLO keeper-us-east-1d.mxtoolbox.com"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: tx>>: "250-smtp2.lxxxxxxt says hello"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: tx>>: "250-AUTH CRAM-SHA512 CRAM-SHA256 CRAM-SHA1 CRAM-MD5 PLAIN LOGIN"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: tx>>: "250-VRFY"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: tx>>: "250-PIPELINING"
    emailrelay: 20260317.144323.240: info: 18.209.86.113;4843: tx>>: "250 8BITMIME"
    emailrelay: 20260317.144323.881: info: 18.209.86.113;4843: rx<<: "MAIL FROM:supertool@mxtoolboxsmtpdiag.com"
    emailrelay: 20260317.144323.881: info: 18.209.86.113;4843: server authentication enabled but not a trusted address: 18.209.86.113
    emailrelay: 20260317.144323.881: info: 18.209.86.113;4843: tx>>: "530 authentication required"
    emailrelay: 20260317.144324.360: info: 18.209.86.113;4843: rx<<: "RCPT TO:test@mxtoolboxsmtpdiag.com"
    emailrelay: 20260317.144324.360: info: 18.209.86.113;4843: tx>>: "503 command out of sequence -- use RSET to resynchronise"
    emailrelay: 20260317.144324.584: info: 18.209.86.113;4843: rx<<: "QUIT"
    emailrelay: 20260317.144324.584: info: 18.209.86.113;4843: tx>>: "221 OK"
    emailrelay: 20260317.144324.584: info: 18.209.86.113;4843: smtp connection closed: smtp protocol done: 18.209.86.113:4843
    emailrelay: 20260317.144324.584: info: forwarding: [client disconnect]
    emailrelay: 20260317.144324.585: info: forwarding: no messages to send

    and an authenticated msg gets through...

    Connecting to mail server.
    Connected.
    220 smtpxxxxxt -- E-MailRelay V2.6.1 -- Service ready
    EHLO WM-PC01
    250-xxxxxxx says hello
    250-AUTH CRAM-SHA512 CRAM-SHA256 CRAM-SHA1 CRAM-MD5 PLAIN LOGIN
    250-VRFY
    250-PIPELINING
    250 8BITMIME
    AUTH LOGIN
    334 VXNlcm5hbW6=
    dGFsa2luZQ=
    334 UGFzc3dvcm=6
    M21t
    235 authentication successful
    RSET
    250 state reset
    MAIL FROM: admin@company.net
    250 sender admin@company.net OK
    RCPT TO: admin@company.net
    250 recipient admin@company.net OK
    DATA
    354 start mail input -- end with <crlf>.<crlf>
    .
    250 message processed
    Forcing disconnection from SMTP server.
    QUIT
    221 OK
    Disconnected.</crlf></crlf>

    Message Sent Successfully

    and, no, the auth data is not the real stuff!
     

  • Graeme Walker

    Graeme Walker - 2026-03-17

    Since you asked about using the address-verifier to authorise the IP address I was going to suggest a script like this (or equivalent in JScript):

    #!/bin/sh
ip=`IFS=: ; set -- $3 ; echo $1`
if test "$ip" = "10.0.0.1"
then
    echo ""
    echo "$1"
    exit 1
else
    exit 100
fi

    Unfortunately the connection-abort feature is broken in v2.6.x -- the protocol stops but the connection persists. The alternative is to reject all recipient addresses with an error message. The remote client cannot then submit the e-mail because it has no recipients:

    #!/bin/sh
ip=`IFS=: ; set -- $3 ; echo $1`
if test "$ip" = "10.0.0.1"
then
    echo ""
    echo "$1"
    exit 1
else
    echo unauthorised IP address: $ip
    exit 2
fi
     

    Last edit: Graeme Walker 2026-03-17

  • DavidM

    DavidM - 2026-03-17

    Thanks - good pointers - much appreciated. Is whitelist comma separated or something else? (CDIR perhaps?)

     

  • Graeme Walker

    Graeme Walker - 2026-03-17

    (I shouldn't post code off the top of my head -- in the original version the dots in the address would match any character in the address, not just a literal dot. I've changed it to use an exact match.)

    To allow a handful of addresses you could just extend the "test" expression with "-o":

    if test "$ip" = "10.0.0.1" -o "$ip" = "192.168.1.1" -o ...etc...

    or iterate through a list:

    whitelist="10.0.0.1 192.168.1.1"
for w in $whitelist; do test "$ip" = "$w" && allow=y; done
if test "$allow" = "y"
then
..etc..
     

  • DavidM

    DavidM - 2026-03-18

    Doh! That's why I could not get it to work! Thanks - now works fine. Great SMTP server.

     

Log in to post a comment.

MongoDB Logo MongoDB