I just migrated from Win2008r2 (end of support) to a Win2019std

With this i decided to try to make the best practice of all configurations. Most of all on security...

My server is single on 1 public IP and one local IP. Xeams as Spam Firewall with hMailServer behind. For all these years I have noticed that in my IP-scope setting in hMailServer, alle failing login request bans (brute force) show up with xeams IP, not the real source IP. Before xeams was installed all attempts was captured with the real source IP making it easier to use scripts for IP-ban etc. If i ban my own IP now everything will stop working.

Client-side is configurede with SSL/TLS on both 465/993 for local IP. All domains use DKIM keys. hMailserver.

Xeams firewall bound to port 25 on public IP and forwards to port 2525 local IP, no security as they both are on the same server and other local (web)services uses this as outgoing SMTP.

Is there a way to:

1. make the real source IP to be revealed for hMailServer connetors OR:

2. xeams to take care of the IP bans as of users repeatedly not authorizing correct to my hMailServer OR

3. you have a better idea to solve this?

Where did I go wrong here? ;-)

Tommy,

Are you using the regular SMTP or the SMTP Proxy server in Xeams? I recommend you use the regular SMTP in Xeams. Check https://www.xeams.com/switchingproxy2regular.htm for instructions and why we recommend this.

Your hMailServer will always think the communication is being initiated by Xeams IP address when it is sitting in front. It will never know the real IP address of the server on the Internet. When you use the regular SMTP server, Xeams will completely shield your hMailServers from any attack. If someone tries to guess passwords in Xeams, they will be blocked. Check https://www.xeams.com/best-practices-prevent-password-hacks.htm for how to configure Xeams so no one will be able to guess passwords.

You should only route port 25 through Xeams. Every other port (465, 587, 993, and 995) should go directly to your hMailServer. In fact, I recommend you don't use standard ports on hMailServer. Because passwords can be guessed through any of the above ports.

Answers to your specific questions:

1. hMailServer will NOT know the real IP if the connection is made on port 25, since Xeams is sitting in between. It will know the real IP for every other port.
2. Xeams will take care of the attacks on port 25. Check InvalidPasswordAttempts.log in Xeams. It will give you an idea of who is attacking on port 25. hMailServer will have to handle the remaining ports. That is why I recommend using non-standard ports for the remaining services. You can always ask you users to change these values in their Outlook/Thunderbird.