SMTP ACL list

By default the piler-smtp server receives emails from any sources, and it may be a challenge to get rid of spammers accessing port 25. You may have several options to achieve that, eg. use iptables or a network firewall to restrict smtp access to the archive.

From version 1.5.0 piler enterprise supports a postscreen style smtp access list. (the open source version starting with v1.3.10 also supports the ACL list). Note that tcp_wrappers is no longer supported.

Let’s say you want to archive emails from office 365 servers, and another mail server on 1.2.3.4. In that case create a file /etc/piler/smtp.acl readable by user piler with the following content:

# https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
#
40.92.0.0/15 permit
40.107.0.0/16 permit
52.100.0.0/14 permit
104.47.0.0/17 permit
# our legacy mail server
1.2.3.4/32 permit

The final step is to enable using the ACL list. Set the following in /etc/piler/piler.conf, and restart the piler-smtp daemon:

smtp_access_list=1

When a remote smtp client connects to piler the piler-smtp daemon checks its IP-address against these cidr blocks and actions in the exact order as they are in the acl file, and decides if the connection is permitted or not.

The format of smtp.acl is

Action is either “permit” or “reject” both in lowercase and without quotes.

When piler-smtp starts it syslogs all the parsed smtp acl rules. If you mistype the action or the cidr block is invalid, then such line is discarded and syslogs the acl line having the error.

Notice that there’s no reject line in the previous example, because there’s an implicit reject rule at the end. Also if you do specify acl entries, then “127.0.0.1/8 permit” is implicitly added to the end of the list to allow the gui to reach the piler-smtp daemon for health checks.

If the remote client is rejected then piler-smtp sends back an 550 error message (550 Service currently unavailable), terminates the tcp connection, and syslogs the action:

denied connection from 10.20.30.40, acl: 10.20.30.0/24 reject

denied connection from 129.146.70.108 by implicit default deny

Another example allowing smtp connections from everywhere, and block a few troublemakers:

1.2.3.4/32 reject
4.5.6.0/24 reject
0.0.0.0/0 permit

0.0.0.0/0 is a special cidr block meaning the whole ipv4 Internet.

One final note. The smtp acl supports only ipv4 addresses. Do NOT use this feature over ipv6.

Related Posts

Consolidating several anti-spam message headers on the SMTP gateway

Introduction to the piler GUI

Cyberhackers are Targeting your Organization’s Sensitive Data