• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

Need to allow only smtp traffic from one IP

We use an outside company to filter all of our e-mail before it hits our mail server.  I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.  
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp.  63.167.210.120 being my mail server.  The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

I am assuming the access list should look like this:

access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp

When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Thanks
0
chadd25
Asked:
chadd25
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
Pete LongConsultantCommented:
try


access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp
0
 
happythedogCommented:
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
0
 
netspec01Commented:
>The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

Your senders MUST use MX records.  The only scenario I can think of where this may not be appropriate might be a dedicated application that has a hard-coded ip address.  Your revised access looks good.  We are using Positini and have our MX records pointed at them.  We have more than 1000 email recipients.  Positini has been absolutely wonderful.

Do you know eho your senders are?  If so, we could bring them into this discussion thread.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
Pete LongConsultantCommented:
or

access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
chadd25Author Commented:
Thanks guys.  We are using Postini.  Accepted answer took in the PIX.  Working properly now.
0
 
lrmooreCommented:
>when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Yes, your syntax is wrong.

Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
                                       ^^^

As Pete correctly suggested, the correct syntax is:
   access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
lrmooreCommented:
Dang... a minute late and a dollar short....

<8-}

- Cheers!
0
 
chadd25Author Commented:
Thanks anyway lrmoore!!  I now understand the command due to your comment.  Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
0
 
Pete LongConsultantCommented:
ThanQ
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now