?
Solved

Need to allow only smtp traffic from one IP

Posted on 2004-10-12
9
Medium Priority
?
475 Views
Last Modified: 2010-04-10
We use an outside company to filter all of our e-mail before it hits our mail server.  I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.  
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp.  63.167.210.120 being my mail server.  The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

I am assuming the access list should look like this:

access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp

When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Thanks
0
Comment
Question by:chadd25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12286912
try


access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp
0
 
LVL 3

Expert Comment

by:happythedog
ID: 12286941
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 800 total points
ID: 12286973
>The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

Your senders MUST use MX records.  The only scenario I can think of where this may not be appropriate might be a dedicated application that has a hard-coded ip address.  Your revised access looks good.  We are using Positini and have our MX records pointed at them.  We have more than 1000 email recipients.  Positini has been absolutely wonderful.

Do you know eho your senders are?  If so, we could bring them into this discussion thread.
0
WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

 
LVL 57

Accepted Solution

by:
Pete Long earned 1200 total points
ID: 12287002
or

access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
LVL 1

Author Comment

by:chadd25
ID: 12287106
Thanks guys.  We are using Postini.  Accepted answer took in the PIX.  Working properly now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12287113
>when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Yes, your syntax is wrong.

Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
                                       ^^^

As Pete correctly suggested, the correct syntax is:
   access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12287136
Dang... a minute late and a dollar short....

<8-}

- Cheers!
0
 
LVL 1

Author Comment

by:chadd25
ID: 12287160
Thanks anyway lrmoore!!  I now understand the command due to your comment.  Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 12287274
ThanQ
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This program is used to assist in finding and resolving common problems with wireless connections.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question