Restricting Access to your Mail Server
t's possible for spammers to bypass your MX records and send emails directly to your mail server, rendering anti-spam filtering useless. To avoid direct spam you need to make sure only our IPs can communicate to your mail server. This restriction can be implemented either at the mail server, firewall, or router level. This all depends on your infrastructure.
Make sure that all your domains are added to our filtering service and MX have been changed to our filters before making these modifications.
You can find our complete list of IP addresses by viewing the Related Articles.
IN THIS ARTICLE | |
Office 365/Exchange Online |
Microsoft Exchange |
Google Apps | Shared Hosting |
Access Restrictions for Office 365/Exchange Online
Configuring a Mail Flow Connector
To configure Exchange Online to reject emails that do not come from our filters you will need to create a mail flow connector.
You can take a look at Microsoft's procedure starting at example 4.
- 1
-
Connect to the
Office 365 admin portal with a global admin account. Go to the
Admin section. Then A
dmin centers➔
Exchange.
-
- 2
-
Select
Mailflow ➔
Connectors and then
+. Choose
From:
Partner organization /
To:
Office 365
- 3
-
Enter a name for the connector, a description and ensure its turned on.
- 4
-
Choose
By verifying that the sender domain matches one of the following domains
- 5
-
Select the
+ and enter an * (asterisk) to identify all the domains
- 6
-
You can leave the
Reject email messages if they aren't sent over TLS and then add our IP address ranges. (see
related articles)
-
7
-
Once completed, the configuration should look as follows:
-
Here is the Powershell command to create the connector with the new Hornetsecurity IP addresses :
New-InboundConnector -Name "Hornetsecurity/Zerospam to O365 inbound" -Comment "Only accept email from Hornetsecurity/Zerospam transport addresses" -Enabled $true -SenderDomains * -RestrictDomainsToIPAddresses $true -RequireTls $true -SenderIPAddresses "209.172.38.64/27", "108.163.133.224/27", "216.46.2.48/29", "216.46.11.224/27", "199.27.221.64/27", "83.246.65.0/24", "173.45.18.0/24", "94.100.128.0/24", "94.100.129.0/24", "94.100.130.0/24", "94.100.131.0/24", "94.100.132.0/24", "94.100.133.0/24", "94.100.134.0/24", "94.100.135.0/24", "94.100.136.0/24", "94.100.137.0/24", "94.100.138.0/24", "94.100.139.0/24", "94.100.140.0/24", "94.100.141.0/24", "94.100.142.0/24", "94.100.143.0/24", "185.140.207.0/24", "185.140.206.0/24", "185.140.205.0/24", "185.140.204.0/24"
Access Restrictions for Microsoft Exchange
Creating a receive connector in Microsoft Exchange
If you chose to enable firewalling in Exchange, you will want to create a receive connector.
Microsoft Exchange 2013
Exchange 2013 uses a web-based interface called Exchange Admin Center (EAC). From the EAC, do the following:
- 1
-
Select
mail flow →
receive connectors.
- 2
- Select Default Frontend [servername] and click the edit icon.
- 3
- On the Default Frontend [servername] select the scoping option and then select the default IP address range (0.0.0.0-255.255.255.255) and click the remove icon.
- 4
- Click on the add icon to add all our IPs (see Related Articles) and then save.
Microsoft Exchange 2007 & 2010
- 1
- Open the Exchange Management Console.
- 2
-
Go to
Server Configuration →
Hub Transport →
Default Receive Connector →
Properties →
Network tab.
- 3
- You will see a section that says Receive mail from remote servers that have these IP addresses.
- 4
- Remove the default rule for 0.0.0.0 to 255.255.255.255.
- 5
- Add all our IPs (see Related Articles).
- 6
- Stop and restart the MSExchangeTransport service.
Microsoft Exchange 2003
- 1
-
In Exchange System Manager, expand the following object:
Servers →
[ servername ] →
Protocols →
SMTP
- 2
- Right-click the virtual SMTP server where you want to restrict inbound IPs, and then click Properties.
- 3
- Click the Access tab, and then Connection.
- 4
- Enable the Only the list below option and add all our IPs (see Related Articles).
- 5
- Restart Exchange to activate your changes.
Access Restrictions for Google Apps
Instructions for Google hosting
Configuring our filtering with Google hosting requires a few extra steps that must be executed after you change your MX records. Google's instructions can be found here. You can find a shortened and adapted version below.
Google's Inbound Gateway Instructions
- 1
- Update your domain’s MX records to point to our filters.
- 2
- Sign in to the Google Admin console.
- 3
-
From the dashboard, go to
Apps →
G Suite →
Gmail →
Advanced settings.
- 4
- In the Organizations section, highlight your domain (top-level org).
- 5
- Scroll down to Inbound gateway.
- 6
- Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
- 7
-
Under
Gateway IPs, enter the IP address/range for each gateway:
- 8
- Click Add.
- 9
- Enter all our IPs (see Related Articles).
- 10
- Click Save.
- 11
- Check the following box to ensure that spammers do not bypass filtering: Reject all mail not from gateway IPs — If you check this box, G Suite doesn’t accept mail from anywhere other than your inbound gateway.
- 12
- Click Save changes at the bottom of the Gmail settings page.
Access Restrictions for a Shared Hosting Provider
If all else fails and your service provider is unable to offer any solutions, we will be unable to prevent any direct spam from being sent directly to you unless the situation changes.