Solved

Need to allow only smtp traffic from one IP

Posted on 2004-10-12
9
469 Views
Last Modified: 2010-04-10
We use an outside company to filter all of our e-mail before it hits our mail server.  I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.  
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp.  63.167.210.120 being my mail server.  The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

I am assuming the access list should look like this:

access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp

When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Thanks
0
Comment
Question by:chadd25
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
try


access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp
0
 
LVL 3

Expert Comment

by:happythedog
Comment Utility
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 200 total points
Comment Utility
>The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

Your senders MUST use MX records.  The only scenario I can think of where this may not be appropriate might be a dedicated application that has a hard-coded ip address.  Your revised access looks good.  We are using Positini and have our MX records pointed at them.  We have more than 1000 email recipients.  Positini has been absolutely wonderful.

Do you know eho your senders are?  If so, we could bring them into this discussion thread.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 300 total points
Comment Utility
or

access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:chadd25
Comment Utility
Thanks guys.  We are using Postini.  Accepted answer took in the PIX.  Working properly now.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Yes, your syntax is wrong.

Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
                                       ^^^

As Pete correctly suggested, the correct syntax is:
   access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Dang... a minute late and a dollar short....

<8-}

- Cheers!
0
 
LVL 1

Author Comment

by:chadd25
Comment Utility
Thanks anyway lrmoore!!  I now understand the command due to your comment.  Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
ThanQ
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now