Enforcing IP restrictions is absolutely critical to complete protection of your mail server. Because hackers and spammers can easily bypass cloud services and target your server directly, mail servers protected by Reflexion should accept only accept SMTP connections from Reflexion IP's listed below and deny all other traffic:
69.84.129.224/27 (255.255.255.224)
100.42.120.128/27 (255.255.255.224)
100.42.115.0/27 (255.255.255.224)
Exchange 2007/2010
1. Open the Exchange Management Console.
2. Navigate to: Server Configuration - Hub Transport - Default Receive Connector - Properties - Network tab.
3. Under "Receive mail from remote servers that have these addresses:" find the entry that says 0.0.0.0-255.255.255.0 and delete the record.
4. Under "Receive mail from remote servers that have these addresses:" click Add. Input the first Reflexion IP range. Repeat this step for each Reflexion IP
5. Click on the Permission Group Tab and ensure that "Anonymous" delivery is allowed from our ranges.
6. Stop and restart the MSExchangeTransport service on the HUB transport server(s)
Exchange 2003
* Open the Exchange System Manager.
* Expand Servers, Server Name, Protocols, SMTP - right click "Default SMTP Virtual Server" (Or the active receive connector name) and select properties
* Navigate to the Access tab and then select the Connection button.
* Remove any entries from previous providers or entries that have the IP range 0.0.0.0 - 255.255.255.0
* Click Add to enter a new IP restriction. Select the Group of computers option, insert the first IP range for Reflexion and set the subnet mask to 255.255.255.224 - click OK. Repeat this step for each the Reflexion IP's
* Restart the Simple Mail Transfer Protocol (SMTP) service to apply the changes.
