Online demo Privacy policy GoBD notes Blog

This is an old revision of the document!


SMTP ACL lists

By default the piler-smtp server receives emails from any sources, and it may be a challenge to get rid of spammers accessing port 25. You may have several options to achieve that, eg. use iptables or a network firewall to restrict smtp access to the archive.

From version 1.3.10 piler supports a postscreen style smtp access list. Let's say you want to archive emails from office 365 servers, and another mail server on 1.2.3.4. In that case create a file /usr/local/etc/piler/smtp.acl readable by user piler with the following content:

# https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
#
40.92.0.0/15 permit
40.107.0.0/16 permit
52.100.0.0/14 permit
104.47.0.0/17 permit
# our legacy mail server
1.2.3.4/32 permit

Then set the following in piler.conf, and restart the piler-smtp daemon:

smtp_access_list=1

When a remote smtp client connects to piler the piler-smtp daemon checks its IP-address against these cidr blocks and actions in the exact order as they are in the acl file, and decides if the connection is permitted or not.

The format of smtp.acl is <cidr block> <action>

Action is either “permit” or “reject” both in lowercase and without quotes.

When piler-smtp starts it syslogs all the parses smtp acl rules. If you mistype the action or the cidr block is invalid, then such line is discarded and syslogs the acl line having the error.

Notice that there's no reject line in the previous example, because there's an implicit reject rule at the end. Also if you do specify acl entries, then “127.0.0.1/8 permit” is implicitly added to the end of the list to allow the gui to reach the piler-smtp daemon for health checks.

If the remote client is rejected then piler-smtp sends back an 550 error message (550 Service currently unavailable), terminates the tcp connection, and syslogs the action:

denied connection from 10.20.30.40, acl: 10.20.30.0/24 reject

or

denied connection from 129.146.70.108 by implicit default deny

Another example allowing smtp connections from everywhere, and block a few troublemakers:

1.2.3.4/32 reject
4.5.6.0/24 reject
0.0.0.0/0 permit

0.0.0.0/0 is a special cidr block meaning the whole ipv4 Internet.

One final note. The smtp acl supports only ipv4 addresses. Do NOT use this feature over ipv6.

Google Analytics Alternative