We are using MessageLabs to filter our email. I have been trying to lock down our firewall to only accept smtp connections from the messagelabs mail servers using the following;

INPUT -p tcp -m tcp --dport 25 -m iprange --src-range xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx -j ACCEPT

I have done this for each of ML's IP ranges.

However, some mail is still getting through from other hosts (spammers) by directly connecting to our mail server.

What else do I need to lock down to prevent this?

Thank you.

You are accepting from them - but do you deny others?
A DROP rule for port 25 as the last line?

This is my config file.

eth0 is a local NIC. eth1 is the external NIC.

Sorry for my ignorance, but I think I have denied all access to eth1 on port 25, except to the IP's listed below.

Thank you.

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [559:660700]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 85.158.136.0-85.158.143.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 216.82.240.0-216.82.255.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 117.120.16.0-117.120.23.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 193.109.254.0-193.109.255.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 194.106.220.0-194.106.221.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 195.245.230.0-195.245.231.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 62.231.131.0-62.231.131.255 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 212.125.75.0-212.125.75.31 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 62.173.108.16-62.173.108.31 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m iprange --src-range 62.173.108.208-62.173.108.223 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

I think there should by a DROP rule or policy

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

How are you making the determination that other IPs are connecting to your mail server? It's possible that they are forging headers to appear to have come from somewhere else, when the mail is actually going through MessageLabs but simply not getting blocked.