I just migrated from Win2008r2 (end of support) to a Win2019std

With this i decided to try to make the best practice of all configurations. Most of all on security...

My server is single on 1 public IP and one local IP. Xeams as Spam Firewall with hMailServer behind. For all these years I have noticed that in my IP-scope setting in hMailServer, alle failing login request bans (brute force) show up with xeams IP, not the real source IP. Before xeams was installed all attempts was captured with the real source IP making it easier to use scripts for IP-ban etc. If i ban my own IP now everything will stop working.

Client-side is configurede with SSL/TLS on both 465/993 for local IP. All domains use DKIM keys. hMailserver.

Xeams firewall bound to port 25 on public IP and forwards to port 2525 local IP, no security as they both are on the same server and other local (web)services uses this as outgoing SMTP.

Is there a way to:

1. make the real source IP to be revealed for hMailServer connetors OR:

2. xeams to take care of the IP bans as of users repeatedly not authorizing correct to my hMailServer OR

3. you have a better idea to solve this?

Where did I go wrong here? ;-)