Help Centre
› Email Security
› Email Firewall and Access Rules
¶ Email Firewall and Access Rules
An email firewall layers access controls between attackers and your mail infrastructure — blocking known-bad IPs, rate-limiting abuse, restricting administrative access to trusted networks, and enforcing geographic boundaries on mail traffic. This article covers the access-control layers UK businesses deploy on Axigen-based mail platforms, including practical UK-specific configurations.
An email firewall is not a single device — it is a layered set of controls operating at different levels of the mail stack:
- Network layer. TCP/IP firewall rules blocking/allowing specific IPs and ports.
- SMTP layer. Connection-level controls (rate limits, geographic blocks, known-bad sources).
- Application layer. Authentication and authorisation controls at mail server.
- Administrative layer. Controls on management access to mail infrastructure.
For UK businesses using Axigen (the platform underpinning SmartXHosting email plans), these controls are configured through the admin console with granular per-policy rules.
A layered approach prevents single-point bypass. Typical UK email firewall stack:
| Layer | Control | Purpose |
|---|
| Network | Cloud provider or hardware firewall | Block port 25 probing from random IPs; limit to authorised ports only |
| SMTP connection | RBL integration; connection rate limits | Reject known-spam sources; prevent brute-force |
| SMTP HELO/EHLO | Banner validation; PTR check | Reject servers lacking valid reverse DNS |
| SMTP envelope | Per-sender rate limits | Prevent compromised account abuse |
| Authentication | MFA; password policy; login rate limits | Prevent credential stuffing |
| Admin access | VPN; source IP allowlist; MFA | Restrict administrative access |
| API/webmail | Rate limits; session timeouts | Limit automated abuse |
IP-based rules in Axigen support:
- Allow-list mode. Only specified IPs can connect. Used for admin interfaces or dedicated relay.
- Block-list mode. Specified IPs blocked; all others allowed. Used for known-bad actors.
- Ranges (CIDR). Rules apply to subnets, not individual IPs.
- Dynamic updates. Integration with RBL for automatic block updates.
For UK businesses, common patterns:
- Allow-list the office IP range for admin console.
- Allow-list office IPs for user submission alongside authentication.
- Block lists populated from RBL integrations (Spamhaus, Barracuda).
- Custom block entries for specific attacker infrastructure observed in logs.
Rate limiting prevents abuse via controls like:
- Connections per IP per minute. Blocks brute-force attempts.
- Messages per sender per hour. Limits damage from compromised accounts.
- Recipients per message. Blocks bulk spam from compromised sources.
- Authentication attempts per user. Prevents credential stuffing.
- API calls per key per minute. Controls automation abuse.
Sensible UK SME baseline:
Connections per IP per minute: 30
Messages per sender per hour: 500 (average user)
Messages per sender per hour: 5000 (bulk-sending accounts)
Recipients per message: 100
Authentication failures per user per hour: 5 (then lockout 1 hour)
Tune based on observed patterns. Strict enough to block abuse; loose enough not to affect legitimate users.
Blocking connections from specific countries is controversial but effective for UK businesses with no international customer base.
Typical UK approach:
- SMTP port 25 inbound. Rarely geo-blocked — mail should be accepted from anywhere legitimate mail comes from.
- Submission ports 465/587. Often restricted to UK/EU IPs for user authentication. Travellers authenticate via VPN.
- Webmail/IMAP/POP3. Similar restrictions.
- Admin access. UK-only or specific office IPs.
Tooling: MaxMind GeoIP database; Axigen integrations; firewall-level GeoIP blocking.
Risks: legitimate users abroad get locked out. Mitigate with clear communication, VPN access, and exception process.
Mail server administration is high-value target. Controls:
- IP allow-list for admin console. Only trusted networks.
- VPN requirement. Admin tasks only via VPN.
- MFA on all admin accounts. Non-negotiable.
- Role-based admin roles. Least privilege; separate super-admin from day-to-day admin.
- Session timeouts. Auto-logout after inactivity.
- Audit logging. Every admin action logged.
- Privileged access management. Time-limited elevated access for specific tasks.
For UK-regulated businesses (finance, healthcare), additional controls may be required by sector-specific regulation.
User authentication policies protect against credential-based attacks:
- Strong passwords. 12+ characters, complexity requirements, no dictionary words.
- MFA on all user accounts. Ideally phishing-resistant (TOTP, WebAuthn). SMS as fallback only.
- Password rotation. Modern NCSC guidance: change on suspected compromise, not on arbitrary schedule.
- Account lockout. Temporary lockout after failed attempts (5-10 failures).
- Session management. Clear session on logout; timeout inactive sessions.
- OAuth / modern auth. Supported where possible.
Mail infrastructure faces DDoS attempts:
- Connection flooding. Attacker opens many connections to exhaust server capacity.
- SMTP command flooding. Legitimate-looking connections sending endless commands.
- Bandwidth exhaustion. Large mail volumes filling network pipe.
Mitigations:
- Connection rate limits (per IP, per subnet).
- Dedicated DDoS protection service (Cloudflare, AWS Shield) in front of mail infrastructure.
- Multi-region deployment with failover.
- BCP/DR plan for mail service.
For UK SMEs, managed mail platforms handle DDoS protection at scale. Self-hosted UK mail servers need explicit DDoS protection investment.
Hard caps on concurrent connections prevent resource exhaustion:
- Global server limit. Maximum simultaneous SMTP connections.
- Per-IP connection limit. Single source cannot monopolise server.
- Per-user limit. User cannot flood submission port.
Tuning depends on server capacity and expected volume.
Firewall without logging is invisible. Essential logs:
- SMTP connections (source, time, result).
- Authentication attempts (success and failure).
- Rate-limit events (when users or IPs triggered).
- Blocked connections with reason.
- Admin actions.
Aggregate in SIEM (Splunk, Elastic, Sumo Logic) for:
- Alerting on anomalies.
- Historical investigation during incidents.
- Compliance audit evidence.
- Capacity planning.
Rely on managed platform (SmartXHosting, Microsoft 365). Firewall handled by provider. Customer configures: MFA enforcement, admin role assignments. Cost: minimal.
Managed platform plus specific admin restrictions (IP allow-list for admin console, VPN for sensitive operations). Additional logging integration with company SIEM if deployed. Cost: low-moderate.
Full firewall stack: network firewall + platform controls + geographic restrictions + privileged access management + extensive audit logging. Sometimes combined with on-premises or hybrid infrastructure. Cost: substantial; justified by regulatory requirement.
NCSC guidance + specific framework (G-Cloud, etc.) drives configurations. Typically UK-only network access; comprehensive audit trail; integration with government-wide monitoring.
Managed platform with basic firewall. Budget constraints usually limit sophisticated configurations. MFA essential despite constraints.
SmartXHosting Axigen firewall baseline. Business Email,
Private Email and
Public Administration Email provide connection rate limits, authentication throttling, RBL integration, DDoS protection, MFA-ready authentication, audit logging by default. Customers configure: admin access restrictions, optional geographic controls, custom block lists as required.
During active security incidents, firewall controls provide rapid response primitives:
- Instant IP block. Add attacker's source IP to firewall blocklist.
- Emergency rate limit. Reduce thresholds temporarily during incident.
- Admin access lockdown. Restrict admin console to specific trusted IP.
- Authentication halt. Disable affected accounts via firewall or admin controls.
- Forensic log collection. Preserve firewall logs for investigation.
Documented response playbook with firewall-level actions enables rapid response within minutes rather than hours. Critical for containing incident damage.
Five-minute assessment for a UK business:
| Check | Good answer |
|---|
| Is MFA enforced for every user? | Yes |
| Are admin accounts accessible only from known IPs/VPN? | Yes |
| Is there an RBL or spam filter rejecting known-bad IPs? | Yes |
| Are authentication failures rate-limited? | Yes |
| Is port 25 accessible only to MX traffic? | Yes |
| Are firewall logs reviewed regularly? | Yes |
| Is there an incident response plan? | Yes |
Any "no" indicates improvement opportunity. Prioritise based on risk exposure.
Firewall logs produce high volume. Alerting thresholds that balance signal-to-noise:
- Failed authentications from one IP over 10 in 10 minutes — investigate.
- Rate limit triggered more than 100 times in hour — review rule or identify user issue.
- Blocklist change reaching greater than 5% of allow-list volume — significant spam surge.
- New admin access outside usual hours or IPs — investigate.
- Configuration change without corresponding ticket — unauthorised access check.
Thresholds tuned to specific organisation's baseline. What looks anomalous in one UK business is normal in another.
Traffic shaping distributes bandwidth and connection resources among competing mail flows:
- Outbound submission from users: dedicated capacity.
- Inbound MX: separate capacity pool.
- Admin API: lowest priority, bounded share.
- Webmail: separate bandwidth class.
- Backup/replication: off-peak window if bandwidth limited.
For UK SMEs on managed platforms, traffic shaping handled by provider. Self-hosted UK deployments may need QoS configuration at network layer.
Axigen supports per-user policies beyond global rules:
- Individual quotas (mailbox size, message rate, attachment limits).
- User-level allow/deny lists (block specific senders).
- Role-based access to specific shared folders or mailboxes.
- Per-user IMAP/POP3 authentication options.
- Per-user retention policies for specific departments.
Useful for UK organisations with diverse roles — sales team with broader outbound rules, finance with stricter inbound controls, receptionist with monitored mail flow.
For UK organisations running self-hosted Axigen in containers, additional controls apply:
- Container isolation from host.
- Runtime restrictions (no-new-privileges, read-only root filesystem where feasible).
- Resource limits (CPU, memory, connections).
- Image signing and verification.
- Vulnerability scanning during CI/CD.
Cloud-native Axigen deployments on Kubernetes benefit from network policies, pod security policies and similar Kubernetes-level controls alongside Axigen's own firewall.
Spam filtering combines multiple techniques at connection time:
- SURBL / URIBL. Block mail containing URLs known as spam/malware hosts.
- Content analysis. Machine learning classifiers assess message content.
- SpamAssassin rules. Rule-based content scoring; weighted sum triggers rejection or tagging.
- Bayesian learning. User-trained on what is and isn't spam for organisational context.
- Greylisting. Temporary deferral of unknown senders; forces re-send that typical spam does not attempt.
- Recipient verification. Reject mail to non-existent addresses immediately (prevents dictionary attacks).
Axigen and comparable platforms integrate these. Tuning balance: aggressive = fewer spam but more false positives; passive = better delivery but more spam in inbox.
UK business decision on firewall investment:
| Aspect | Managed platform (SmartXHosting, M365, Google) | Self-hosted Axigen |
|---|
| Baseline firewall | Included | Customer configures |
| RBL integration | Managed | Customer maintains |
| DDoS protection | Managed | Customer arranges |
| Security patches | Managed | Customer applies |
| Custom rules flexibility | Limited | Full control |
| Cost | Per-user subscription | Infrastructure + admin time |
| Ops overhead | Low | Significant |
For most UK SMEs: managed platform best value. For regulated organisations with specific control requirements: self-hosted with full firewall tuning. Middle ground: managed platform with supplementary perimeter controls (separate firewall appliance, DLP gateway).
SMTP protocol itself has attack surfaces that firewall controls address:
- Command injection. Attacker injects SMTP commands to confuse server. Modern servers parse strictly.
- Pipelining abuse. Multiple commands in one packet; rate limit per pipeline.
- STARTTLS stripping. Network attacker removes STARTTLS capability; MTA-STS and DANE prevent.
- Timing attacks. User enumeration via response timing differences; consistent response handling.
- Memory exhaustion. Very large messages or headers; set max limits.
- Infinite loops. Malformed recipients causing loops; mail server detects and limits.
Axigen and modern alternatives harden against these. Consistent patching essential — vulnerabilities in SMTP parsers occasionally require server updates.
UK Cyber Essentials scheme requires specific firewall controls:
- Boundary firewalls: internet-facing services restricted to necessary ports.
- Passwords changed from defaults.
- Administrative access restricted.
- Inbound connections restricted by rule.
- Outbound connections: from 2023+, restrictions increasingly expected.
For UK SMEs pursuing Cyber Essentials Plus certification, email firewall posture is examined. Managed mail platforms typically meet requirements; self-hosted deployments need explicit certification effort.
NCSC broader firewall guidance supports these baseline Cyber Essentials requirements — applicable whether formally certifying or not.
Email firewall works alongside broader security controls:
- SIEM/SOC. Mail firewall logs feed Security Operations Centre for correlation with other events.
- EDR (Endpoint Detection and Response). Mail-delivered malware detected at endpoint; correlates with mail firewall logs.
- Identity provider. SSO/OIDC integration means email follows organisational authentication policy.
- Anti-phishing gateway. Mimecast, Proofpoint, Barracuda operate in front of mail server for advanced analysis.
- DLP (Data Loss Prevention). Outbound mail scanned for sensitive data patterns.
- CASB (Cloud Access Security Broker). Mail API access monitored for anomalies.
For UK businesses at scale, integration with these tools multiplies security effectiveness. For UK SMEs, mail platform's built-in firewall plus MFA is often sufficient baseline.
Beyond server-level firewall, user-level filtering (Sieve) provides fine-grained control:
- Users filter inbound mail by sender, subject, content.
- Admin-imposed sieve rules for organisational policies.
- Auto-archive, auto-forward, out-of-office, vacation responses.
- Spam classification refinement for individual users.
Axigen supports Sieve per RFC 5228. For UK businesses, typical admin-level rules:
- Auto-file external mail to specific folder.
- Flag mail from specific senders (suppliers, regulators) for priority attention.
- Suppress known low-value internal mail from inbox.
- Route mail containing specific keywords to review queue.
Mailbox storage quotas serve security function beyond storage management:
- Prevent account compromise leading to unbounded archive of sensitive data.
- Force retention discipline aligned with UK GDPR.
- Trigger awareness when quota filling — anomaly investigation.
- Limit damage if compromised account used to archive confidential data elsewhere.
Typical UK SME quotas: 10-50 GB per user. Larger for specific roles (archival, finance). Too small causes operational friction; too large reduces security benefit.
When an account is suspected compromised, firewall controls support rapid response:
- Lock account. Disable authentication immediately.
- Block sending. Rate limit to zero or outright deny outbound from account.
- Identify source IPs. Authentication log shows where compromised account was accessed from.
- Block source IPs. Add to block list to prevent further access attempts.
- Investigate. Audit log provides detail on what actions the compromised account took.
- Rotate credentials. New password (user may need MFA reset).
- Notify if breach. ICO if personal data affected.
- Restore access. Once compromise contained, restore legitimate access.
Firewall + logging enables containment within minutes rather than hours. Critical for limiting damage.
Axigen (and comparable platforms) integrate with DNS-based block lists at connection time. Process:
- Connecting IP queries configured RBLs (Spamhaus ZEN, Barracuda BRBL, SpamCop, etc.).
- If listed on any consulted RBL, response code indicates how many/which.
- Configured action applied: reject, defer, add header, increase score.
- Legitimate mail continues; known-bad rejected at SMTP.
Practical configuration for UK SMEs:
- Spamhaus ZEN — comprehensive; reject on listing.
- Barracuda BRBL — secondary check; reject.
- SpamCop — supplementary; usually score rather than reject.
- Custom internal blocklist — per-customer, updated from incident history.
Monitor false-positive rate: RBLs occasionally list legitimate senders incorrectly. Exception process needed for affected partners.
Default settings rarely fit specific UK business patterns. Tuning priorities:
- Rate limits match observed peak volume. Busy period 2-3x normal; normal 2-3x minimum. Tune to peak + 25% headroom.
- Geographic rules match customer footprint. If customers only in UK/EU, restrict submission to UK/EU. If international, broader rules.
- Admin rules match admin workforce. UK-only admin workforce → UK allow-list. Distributed admin → broader.
- Authentication lockout match user tolerance. 5-failure lockout for 60 min reasonable; 3-failure for 24h too aggressive for typical UK business.
- Connection limits match infrastructure capacity. Over-restrictive blocks legitimate bursts; under-restrictive allows abuse.
Running firewall controls requires ongoing attention:
- Review block/allow lists quarterly. Stale entries cause unnecessary blocks.
- Monitor false-positive rate. Overly aggressive firewall blocks legitimate mail.
- Update RBL subscriptions. Commercial RBLs need renewal; free ones may go offline.
- Test firewall rules after major changes. Ensure intended behaviour.
- Document exception process. When legitimate user needs an exception to policy.
- Too aggressive rate limits. Users throttled during legitimate bursts. Adjust to observed patterns.
- Overly broad geographic blocks. UK customer travelling to EU blocked.
- No MFA on admin. Highest-value target left vulnerable.
- Admin access from any IP. Firewall that allows admin from anywhere adds little value.
- No audit log review. Logs exist but nobody looks at them until incident.
- No exception process. Policies too rigid; users find workarounds.
Q: Do UK businesses need a separate "email firewall" device?
A: Rarely. Modern mail platforms (Axigen, Microsoft, Google) have firewall features integrated. Hardware or separate appliances for specific large-scale or regulated deployments.
Q: Is geographic blocking effective against UK-targeted attacks?
A: Modestly. Many attackers use UK-based proxies. Geographic blocking reduces volume but does not eliminate UK-targeted threats.
Q: How does MFA fit with firewall controls?
A: Complementary. Firewall limits where authentication attempts can originate; MFA ensures credentials alone cannot authenticate.
Q: Should UK mail firewalls allow connections from Tor?
A: Usually no — Tor traffic heavily correlated with abuse. Legitimate Tor-using users rarely send business mail via Tor. Block by default with exception process.
Q: What firewall rule prevents the most attacks?
A: Authentication throttling. Credential stuffing is constant; 5-failure-then-lockout blocks brute-force with minimal user impact.
Q: How do UK charities balance firewall security with volunteer flexibility?
A: Basic controls (MFA, rate limits) affordable and essential. Complex controls (geographic blocks, privileged access management) often beyond charity resources; rely on platform baseline.