mxallowd is a daemon for netfilter (using libipq) which implements a slightly improved nolisting mechanism. Basically your nameserver has to be configured to return two MX ip addresses of which one does not run a mail server on port 25 (the one with higher priority).
Most spammers try to connect directly to the first mailserver � mxallowd blocks that. You have to connect to the first one and then to the second one, direct connections do not work. Real mailservers (not spammers) have to try all MX ip addresses in order (sorted by priority) until they succeed in delivering the mail.
The problem with nolisting is that some spammers try (probably because of the nolisting) to connect directly to the second MX ("direct-to-second-mx"). This is where mxallowd turns in: You cannot connect to the second mailserver aswell, except if you have tried connecting to the first mailserver before (you are whitelisted then).
This problem could be solved using iptables with the module ipt_recent aswell, if it wasn't for one little detail: Some providers (for example Google Mail) use the same DNS name but different ip addresses when trying the mailservers in order. So ipt_recent, which works solely using ip addresses, does not let mails from Google Mail through. mxallowd in contrary whitelists all ip addresses of the DNS name (except if you specify the option --no-rdns-whitelist of course).
In order to let mxallowd handle the connections, one has to add the following iptables-rule:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j QUEUE
If inserting this rule fails you have to insert the queue module into the kernel using modprobe ip_queue.
You can modify this rule of course to handle, for example, only certain ip addresses or to accept connections from certain ip addresses (whitelisting, use -j ACCEPT at the end of the rule).
What's New in This Release: [ read full changelog ]
· mxallowd is now correctly started in the background.
· The pidfile is written correctly (using O_TRUNC).