M C Wong writes:
Can't access to this port be guarded against by a filtering router which is configured to accept *only* a number of trusted MX hosts ?
Sure -- if you only want to accept mail from fifteen machines on earth. If on the other hand your users might get mail from anywhere on earth, your mail ports have to be open to connections from anywhere.
No, I am saying that we use MX field in DNS to specify our MX hosts, so other hosts from anywhere else will timeout connecting to the target smtp while trying to deliver mails directly to it, and hence will have to send the message to next best MX host instead, and the firewall is configured to permit access *only* from those MX hosts.
The problem here becomes how one can protect all those MX hosts instead.
You can't. All you are doing is moving the problem. I don't see how that could be of any possible interest. The machines in question are already the MX hosts for the zone. Perry