Online demo Privacy policy GoBD notes Blog

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
current:smtp-acl-list [2020/12/29 08:28]
sj
current:smtp-acl-list [2020/12/29 09:04]
sj
Line 1: Line 1:
 ==== SMTP ACL lists ==== ==== SMTP ACL lists ====
  
 +By default the piler-smtp server receives emails from any sources, and it may be a challenge to get rid of spammers accessing port 25. You may have several options to achieve that, eg. use iptables or a network firewall to restrict smtp access to the archive.
 +
 +From version 1.3.10 piler supports a postscreen style smtp access list. Let's say you want to archive emails from office 365 servers, and another mail server on 1.2.3.4. In that case create a file /usr/local/etc/piler/smtp.acl readable by user piler with the following content:
 +
 +<code>
 +# https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
 +#
 +40.92.0.0/15 permit
 +40.107.0.0/16 permit
 +52.100.0.0/14 permit
 +104.47.0.0/17 permit
 +# our legacy mail server
 +1.2.3.4/32 permit
 +</code>
 +
 +Then set the following in piler.conf, and restart the piler-smtp daemon:
 +
 +<code>
 +smtp_access_list=1
 +</code>
 +
 +When a remote smtp client connects to piler the piler-smtp daemon checks its IP-address against these cidr blocks and actions in the exact order as they are in the acl file, and decides if the connection is permitted or not.
 +
 +The format of smtp.acl is <cidr block> <action>
 +
 +Action is either "permit" or "reject" both in lowercase and without quotes.
 +
 +When piler-smtp starts it syslogs all the parsed smtp acl rules. If you mistype the action or the cidr block is invalid, then such line is discarded and syslogs the acl line having the error.
 +
 +Notice that there's no reject line in the previous example, because there's an implicit reject rule at the end. Also if you do specify acl entries, then "127.0.0.1/8 permit" is implicitly added to the end of the list to allow the gui to reach the piler-smtp daemon for health checks.
 +
 +If the remote client is rejected then piler-smtp sends back an 550 error message (550 Service currently unavailable), terminates the tcp connection, and syslogs the action:
 +
 +<code>
 +denied connection from 10.20.30.40, acl: 10.20.30.0/24 reject
 +</code>
 +
 +or
 +
 +<code>
 +denied connection from 129.146.70.108 by implicit default deny
 +</code>
 +
 +Another example allowing smtp connections from everywhere, and block a few troublemakers:
 +
 +<code>
 +1.2.3.4/32 reject
 +4.5.6.0/24 reject
 +0.0.0.0/0 permit
 +</code>
 +
 +0.0.0.0/0 is a special cidr block meaning the whole ipv4 Internet.
 +
 +One final note. The smtp acl supports only ipv4 addresses. Do NOT use this feature over ipv6.
Google Analytics Alternative