Solved

Need to allow only smtp traffic from one IP

Posted on 2004-10-12
9
472 Views
Last Modified: 2010-04-10
We use an outside company to filter all of our e-mail before it hits our mail server.  I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.  
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp.  63.167.210.120 being my mail server.  The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

I am assuming the access list should look like this:

access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp

When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Thanks
0
Comment
Question by:chadd25
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12286912
try


access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp
0
 
LVL 3

Expert Comment

by:happythedog
ID: 12286941
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 200 total points
ID: 12286973
>The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

Your senders MUST use MX records.  The only scenario I can think of where this may not be appropriate might be a dedicated application that has a hard-coded ip address.  Your revised access looks good.  We are using Positini and have our MX records pointed at them.  We have more than 1000 email recipients.  Positini has been absolutely wonderful.

Do you know eho your senders are?  If so, we could bring them into this discussion thread.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 57

Accepted Solution

by:
Pete Long earned 300 total points
ID: 12287002
or

access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
LVL 1

Author Comment

by:chadd25
ID: 12287106
Thanks guys.  We are using Postini.  Accepted answer took in the PIX.  Working properly now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12287113
>when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Yes, your syntax is wrong.

Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
                                       ^^^

As Pete correctly suggested, the correct syntax is:
   access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12287136
Dang... a minute late and a dollar short....

<8-}

- Cheers!
0
 
LVL 1

Author Comment

by:chadd25
ID: 12287160
Thanks anyway lrmoore!!  I now understand the command due to your comment.  Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 12287274
ThanQ
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Blacked by spamhaus? 26 74
Reverse DND setup 6 38
decoding the error message TEI_ASSIGNED 8 43
Is Fedora an appropriate distro for the environment. 7 31
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question