On Mon, Apr 28, 2025 at 12:32:56PM +0000, ed bennett wrote: > I only want to receive incoming emails and only send emails from the server > itself, > either with scripts or while logged on with ssh. > I've completely blocked port 25 and the submission ports. > With 25 open, I can't even login and I have to use IPMI. > First what can I do with just pf? I haven't found any useful examples and > it's not > clear to me exactly how to only allow local connections to send out emails > work > but still receive outside emails. > > After that, what should I do with smtpd.conf. I find the built-in from local > defaults > to be more confusing than helpful. I had a lot of useful backups lost from > theft and > the failure of the last hard drive with copies. I'm also just getting clear > headed enough > after two surgeries to do more than keep everything blocked and monitor > continuously > with tcpdump. Port 25 is still getting hit. The ISP offers Edgelayer ACL but > I have not > found any documentation on how to use it. > > Any help deeply appreciated. >
If you want to receive external emails, you need to have port 25 open. However, this leaves the chance that other machines in the network submit their messages to the server's port 25. So, to do this at the network level, with PF, you can block connections from every other host on your LAN, and only allow connections from your gateway (assuming you're using NAT) or from anything but your LAN (if this is an internet-facing machine, which I wouldn't advise). This leaves the corner case in which the gateway machine can send messages to your MTA. Apart from that, you might be able to do something different with your MTA: you can configure it to listen on the egress interface, allowing only for local delivery, *and* to listen on lo0, allowing those messages to be forwarded. This shouldn't be too hard to do with OpenSMTPD. --
