I have an anti-spam firewall in front of our InterWorx boxes, which handles all of the mail incoming via MX records and delivers only the clean ones on to the InterWorx boxes. It works great, except spammers frequently ignore the MX records and send spam directly to the InterWorx boxes (obvious because all of the added anti-spam headers are missing).
I have our boxes configured as follows:
Non-PCI Compliant
Port 25: SMTP-AUTH available, TLS optional
Port 587: SMTP-AUTH required, TLS optional
PCI Compliant
Port 25: SMTP-AUTH available over TLS only, TLS available
Port 587: SMTP-AUTH over TLS required
We instruct all users to use port 587 and SMTP-AUTH, but I’m aware that people quite frequently use port 25 because Outlook encourages it. Outlook likewise discourages use of TLS due to hostname mismatches, which is why it is optional for the non-PCI compliant servers.
To complicate matters somewhat, not ALL of our InterWorx domains are using the new anti-spam appliance. It’s in testing, so even though there is no option in InterWorx for “Port 25: SMTP REQUIRED, Except for these IP’s allowed to relay” (which I need), I couldn’t use that solution yet.
Questions:
- Could there be options for Port 25 just like Port 587, where SMTP is required, with or without TLS?
- Can qmail support whitelisted IP’s allowed to relay with no additional SMTP_AUTH or TLS requirements? The docs suggest it can be done, by adding rules to /etc/tcp.smtp, but I am really hesitant to go around the control panel on this one. I believe the “MTA SMTP Options (inbound)” section needs to support that IP list.
(Similar to this request, but not the same. I am trying to use the InterWorx SMTP for ONLY SMTP_AUTH except from a specific IP.)