profile picture

Michael Stapelberg

mxallowd (2014)

published 2014-11-07, last modified 2018-03-18
Edit Icon

An meine deutschen Besucher: Es gibt eine deutsche version dieser Seite.

mxallowd is a daemon for linux/netfilter (using libnetfilter_queue) or BSD/pf (via pflog) which implements a slightly improved nolisting mechanism. Basically your nameserver has to be configured to return two MX ip addresses of which one does not run a mail server on port 25 (the one with higher priority). Most spammers try to connect directly to the first mailserver – mxallowd blocks that. You have to connect to the first one and then to the second one, direct connections do not work. Real mailservers (not spammers) have to try all MX ip addresses in order (sorted by priority) until they succeed in delivering the mail.

The problem with nolisting is that some spammers try (probably because of the nolisting) to connect directly to the second MX ("direct-to-second-mx"). This is where mxallowd turns in: You cannot connect to the second mailserver aswell, except if you have tried connecting to the first mailserver before (you are whitelisted then).

This problem could be solved using iptables with the module ipt_recent aswell, if it wasn’t for one little detail: Some providers (for example Google Mail) use the same DNS name but different ip addresses when trying the mailservers in order. So ipt_recent, which works solely using ip addresses, does not let mails from Google Mail through. mxallowd in contrary whitelists all ip addresses of the DNS name (except if you specify the option --no-rdns-whitelist of course).

Setup on Linux

In order to let mxallowd handle the connections, one has to add the following iptables-rule:

iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23

If inserting this rule fails you have to insert the queue module into the kernel using modprobe nfnetlink_queue.

You can modify this rule of course to handle, for example, only certain ip addresses or to accept connections from certain ip addresses (whitelisting, use -j ACCEPT at the end of the rule).

Setup on BSD

Your /etc/pf.conf could look like this:

table  persist



pass in quick log on fxp0 proto tcp from  \
	     to $real_mailserver port smtp
pass in quick log on fxp0 inet6 proto tcp from  \
	     to $real_mailserver6 port smtp
block in log on fxp0 proto tcp \
	      to { $fake_mailserver $real_mailserver } port smtp
block in log on fxp0 inet6 proto tcp \
	      to { $fake_mailserver6 $real_mailserver6 } port smtp

The important things are that the table mx-white exist and that the pass- and the block-rules specify the log modifier. If you use another pflog-interface, you can tell mxallowd this via parameter.

Help, i cannot send mails anymore!

That’s right – if you use the same mailserver to send your mails, your mailclient will probably try only the first ip address (which does not run a mailserver). I’d recommend sending mails via SMTPS (SSL) because its port (465) will not be filtered if you don’t explicitly set it up (see "Setup"). Alternatively, you could run your mailserver additionally on another port which only you use (spammers won’t do a portscan, if they don’t even use standard-compliant mailers…). If you have a static ip address you can whitelist it in iptables of course (see "Setup").



mxallowd is free open source software under the GPL2.


Current development can be followd in gitweb.


If you would like to drop me a message, please send me an email.