207.97.242.51                      server115.appriver.com

            92.52.89.74                          server305.appriver.com             

            74.205.4.52                          server120.appriver.com

            72.32.252.16                        server502.appriver.com

            72.32.253.10                        server510.appriver.com

            72.32.252.97                        server520.appriver.com

            120.136.38.138                     server605.appriver.com

            69.20.60.122                        Appriver Load Balancer

            69.20.58.234                        Appriver Backup Server

Add any other internal IP blocks or external servers that use your server to relay mail. (Only if needed)

*For Shoreline customers only (AppRiver Hosted Exchange) that use split domain routing:

Hosted Exchange customers on EXG3(Shoreline)

207.97.230.0  /  255.255.255.0

 Hosted Exchange customers on EXG4(Shoreline)

72.32.253.0 / 255.255.255.0

*** Just to double check *** You should now have a minimum of 15 IP addresses that you are adding to your SMTP allowed list. 

If you do not have a firewall, most mail server platforms have ways of limiting which IP addresses have permission to connect to your server’s SMTP service.

Appriver advises that the traffic be limited from your firewall. If you cannot do this, you may use the examples below to limit it from your mail server. Do not forget to include your firewall or other external devices that connect to you server.

Mail Servers

For Exchange 2007:

Open the Exchange Management Console.

Navigate to: Server Configuration / Hub Transport / Default Receive Connector / Properties / Network Tab. 

Locate “Receive mail from remote server with IP” screen. 

By default the rule is: 0.0.0.0 to 255.255.255.255. 

Remove the default and add the list of Appriver provided IP addresses into this field.

Stop and Restart the services

http://technet.microsoft.com/en-us/library/bb123712.aspx

For Exchange 5.5:

Under the Internet Mail Service Properties / Connections Tab / Accept Connections area.

Click the radio button "Only from hosts using: Authentication”.

Click the "Specify by Host" button and enter the IP addresses listed above.

Stop and Restart the services.
http://www.appriver.com/kb/ex55.jpg

For Groupwise 6.0 above

Edit the properties of the GWIA object. Select the Access Control tab.

Create a new class of service and set it to "Prevent incoming messages".

Create the following exceptions in the "Allow messages from" box:
     *@*.*
     IP address of your mail host
     DNS hostname of your mail host
     Blank-Sender-User-ID

Exit and restart the GWIA

 Workaround:
If you have a firewall, you can allow SMTP traffic only from a Specific site, by doing the following:
1) Turn on "Allow incoming messages" for "SMTP Incoming" settings, in the GWIA Access Control, Default Class of Service.
2) Place GWIA inside the firewall, with a private address, and a public address on the firewall, NAT translated the public address to the private address.
3) Create a filter on the firewall to only allow traffic to this public address, and port 25 (SMTP port), from the specific host's ip address.  This will allow mail only from this ip address, and not from any other host, or ip address.
Note: This is actually a better solution than having GWIA accept and reject traffic.  This way, the only host that can attach to the GWIA, is the host specified in the firewall exception.

For SmarterMail 3.x and higher

In order to configure SmarterMail so, that it only accepts email from your SPAM filtering server, you will need to blacklist the entire internet with the exception of the IP (or IP range) of your SPAM filter server, as an example: 10.1.1.4.

Create two blacklists for the range between 1.1.1.1 to 10.1.1.3 and the other from 10.1.1.5 to 255.255.255.255.

In order to Configure the blacklist:

  1. Login as SysAdmin
  2. Navigate to: Security | Blacklist / Whitelist
  3. Add a Blacklist with this range: 1.1.1.1 to 10.1.1.3
  4. Add another Blacklist with this range: 10.1.1.5 to 255.255.255.255

You will also need to configure the Alternate SMTP Submission Port, in order to allow your users
to relay mail through SmarterMail server.

In order to Configure the Alternate SMTP Submission IP:Port:

 1. Login as SysAdmin
 2. Settings | Protocol Settings | SMTP In
 3. Set the Submission IP: Port to an IP on your server and Port 587

If it is not possible for you to use port 587 and you need to use port 25. Then, you will need to utilize another IP that is on the server. Set the Submission IP: Port’s IP to the available IP, i.e., 10.1.1.5.  Then you should create an A record for your new incoming
(Relay only) IP as an example: smtp.domain.com at 10.1.1.5. If you were to try and use the IP 10.1.1.4 on port 25 as your alternate submission port, your SmarterMail server will stop receiving mail because all incoming mail would require SMTP Authentication.

In order to Configure the Submission IP:Port:

 1. Login as SysAdmin
 2. Navigate to: Settings | Protocol Settings | SMTP In
 3. Set the Submission IP:Port to 10.1.1.5 on Port 25
 4. Click Save

Even though 10.1.1.5 is blacklisted, this will work because SMTP alternate port submission supersedes Blacklisting.

Additional Support

Appriver is also available to review your settings to make sure you have the most optimal spam filtering tests enabled. Please let us know by sending an email to: support@appriver.com.

Additional Note:

We are starting to see several customers that do not have this setting in place are receiving dictionary attacks against their server in which spammers are trying to harvest valid addresses. These dictionary or VRFY command / query attacks will cause the SMTP service on the server to time out during the constant stream of lookups that can last hours or sometimes days depending on the number valid hits they get. Customers that have the limits above in place will not have this problem.