Restricting Access to your Mail Server

t's possible for spammers to bypass your MX records and send emails directly to your mail server, rendering anti-spam filtering useless. To avoid direct spam you need to make sure only our IPs can communicate to your mail server. This restriction can be implemented either at the mail server, firewall, or router level. This all depends on your infrastructure.

Make sure that all your domains are added to our filtering service and MX have been changed to our filters before making these modifications. 

You can find our complete list of IP addresses by viewing the Related Articles.

IN THIS ARTICLE  
Office 365/Exchange Online
 Microsoft Exchange
Google Apps Shared Hosting

Access Restrictions for Office 365/Exchange Online

Configuring a Mail Flow Connector

To configure Exchange Online to reject emails that do not come from our filters you will need to create a mail flow connector.

You can take a look at Microsoft's procedure starting at example 4

1
Connect to the Office 365 admin portal with a global admin account. Go to the Admin section. Then A dmin centersExchange.
2
Select Mailflow  Connectors and then +. Choose From: Partner organization / To: Office 365

3
Enter a name for the connector, a description and ensure its turned on.  

4
Choose By verifying that the sender domain matches one of the following domains

5
Select the + and enter an * (asterisk) to identify all the domains

 

6
You can leave the Reject email messages if they aren't sent over TLS and then add our IP address ranges. (see related articles)

7
Once completed, the configuration should look as follows:


Here is the Powershell command to create the connector with the new Hornetsecurity IP addresses : 

New-InboundConnector -Name "Hornetsecurity/Zerospam to O365 inbound" -Comment "Only accept email from Hornetsecurity/Zerospam transport addresses" -Enabled $true -SenderDomains * -RestrictDomainsToIPAddresses $true -RequireTls $true -SenderIPAddresses "209.172.38.64/27", "108.163.133.224/27", "216.46.2.48/29", "216.46.11.224/27", "199.27.221.64/27", "83.246.65.0/24", "173.45.18.0/24", "94.100.128.0/24", "94.100.129.0/24", "94.100.130.0/24", "94.100.131.0/24", "94.100.132.0/24", "94.100.133.0/24", "94.100.134.0/24", "94.100.135.0/24", "94.100.136.0/24", "94.100.137.0/24", "94.100.138.0/24", "94.100.139.0/24", "94.100.140.0/24", "94.100.141.0/24", "94.100.142.0/24", "94.100.143.0/24", "185.140.207.0/24", "185.140.206.0/24", "185.140.205.0/24", "185.140.204.0/24"

Access Restrictions for Microsoft Exchange

Creating a receive connector in Microsoft Exchange

If you chose to enable firewalling in Exchange, you will want to create a receive connector.

Microsoft Exchange 2013

Exchange 2013 uses a web-based interface called Exchange Admin Center (EAC). From the EAC, do the following:

1
Select mail flow  receive connectors.
2
Select Default Frontend [servername] and click the edit icon.
3
On the Default Frontend [servername] select the scoping option and then select the default IP address range (0.0.0.0-255.255.255.255) and click the remove icon.
4
Click on the add icon to add all our IPs (see Related Articles) and then save.

Microsoft Exchange 2007 & 2010

1
Open the Exchange Management Console.
2
Go to Server Configuration  Hub Transport  Default Receive Connector  Properties  Network tab.
3
You will see a section that says Receive mail from remote servers that have these IP addresses.
4
Remove the default rule for 0.0.0.0 to 255.255.255.255.
5
Add all our IPs (see Related Articles).
6
Stop and restart the MSExchangeTransport service.

Microsoft Exchange 2003

1
In Exchange System Manager, expand the following object: Servers  [ servername ]  Protocols  SMTP
2
Right-click the virtual SMTP server where you want to restrict inbound IPs, and then click Properties.
3
Click the Access tab, and then Connection.
4
Enable the Only the list below option and add all our IPs (see Related Articles).
5
Restart Exchange to activate your changes.

Access Restrictions for Google Apps

Instructions for Google hosting

Configuring our filtering with Google hosting requires a few extra steps that must be executed after you change your MX records. Google's instructions can be found here. You can find a shortened and adapted version below.

Google's Inbound Gateway Instructions

1
Update your domain’s MX records to point to our filters.
2
Sign in to the Google Admin console.
3
From the dashboard, go to Apps  G Suite  Gmail  Advanced settings.
4
In the Organizations section, highlight your domain (top-level org).
5
Scroll down to Inbound gateway.
6
Hover the cursor to the right of Inbound gateway. To create a new inbound gateway setting, click Configure. To edit an existing setting, click Edit.
7
Under Gateway IPs, enter the IP address/range for each gateway:

inbound_gateway_setting_1

8
Click Add.
9
Enter all our IPs (see Related Articles).
10
Click Save.
11
Check the following box to ensure that spammers do not bypass filtering:  Reject all mail not from gateway IPs — If you check this box, G Suite doesn’t accept mail from anywhere other than your inbound gateway.
12
Click Save changes at the bottom of the Gmail settings page.

Access Restrictions for a Shared Hosting Provider

If your emails are hosted on a provider that hosts several domains on the same server, they will likely not be able to restrict incoming email traffic and thus be unable to block direct spam. You may need to contact your provider to check what can be done.
The service provider could offer to close port 25 and open another port to handle SMTP traffic. This solution can be used even if the service provider hosts several customers on the same server because it is often possible to change the SMTP port on a per-domain basis. If this solution is used, the port change must be coordinated with us so that email can be properly delivered. 

If all else fails and your service provider is unable to offer any solutions, we will be unable to prevent any direct spam from being sent directly to you unless the situation changes.

Related Articles