Restricting SMTP to specific external IP addresses using ISA Server 2000

Hey all:

My company has a external spam filtering service and just recently they asked that all of their customers lock down SMTP.  What I need to do is block SMTP requests coming externally except for the IP addresses provided by my service provider.

So for example, if  ihave to only allow requests on port 25 from the follwoing external ip addresses only, how would I do this:

10.32.248.12 subnet 255.255.255.248

10.32.248.252 subnet 255.255.255.248

Note the IPs are just for example purposes

Thanks

jocasio
LVL 15
Juan OcasioApplication DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
what type of firewall do you have.  its really just a syntax question there, but no matter what you do is similar to the following

allow 10.32.248.12 255.255.255.248 to Mail Server for tcp 25
allow 10.32.248.252 255.255.255.248 to Mail Server for tcp 25
deny all to Mail Server for tcp 25

must be in that order to.  this way the firewall will evaluate the allow statements to see if they match first, then if they don't match all other requests on port 25/tcp will be denied to the mail server.
Cyclops3590Commented:
btw, I can help if you have a cisco firewall or use IPTables.  Most other firewalls have a gui interface and should be easy to configure, just need to make sure the rules are in the correct order.
Cyclops3590Commented:
ok, helps if i read the question header...duh.  I've never used ISA before, but the idea is the same.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Juan OcasioApplication DeveloperAuthor Commented:
Thanks Cyclops3590:

Yeah, I should have put that in the body as well.

If anyone else had suggestions or more importantly, the directions on how to do this with ISA Server 2000, I'd greatly appreciate a reply,

Thanks again,

jocasio
naveedbCommented:
Where is your SMTP, is it in IIS? If so, you can open MMC for IIS, go into properties/access for SMTP Server. Then under connection control specify the IP addresses which are allowed to access the server.
Juan OcasioApplication DeveloperAuthor Commented:
I have Exchange Server 2000.  I believe I have to set up rules in ISA Server...

jocasio
naveedbCommented:
No, you can do it with Exchange also. Go into Server/SMTP Server properties and you should see Access Tab.
Juan OcasioApplication DeveloperAuthor Commented:
Thanks, but how do I do this?

jocasio
naveedbCommented:
Open System Manager

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/086653b8-2782-4246-a9f5-b2483f328401.mspx?mfr=true

If you see Administrative Group, click on that and then click on Servers, else just click on servers

You should see you defaul SMTP server

Right Click on it, and click on properties

Then select Access Tab, and click on Connection Control to add the IP address(es)
Juan OcasioApplication DeveloperAuthor Commented:
So the connection control controls IP addresses accessing from the outside?  I thought this was for which computers can access from the inside.  Can you be more specific on how I would accomplish this?  Sorry for all of the baby steps I need to take, but I've never done this before and I don't want to mess things up...

Thanks,

jocasio
naveedbCommented:
It is for both internal and external. If you are doing nat, you will need the translated address.

Start/Programs/Exchange/System Manager/Servers/Protocol/Default SMTP Server. Right click prpoerties then select Access Tab.

After you have clicked on the connection button, you have two option. Either you can allow certain hosts and deny all others "Only the List Below" or the other way, where you only block certain IP Addresses "All except the list below".

Assuming you only want access to following IP Addresses

10.32.248.12 subnet 255.255.255.248

10.32.248.252 subnet 255.255.255.248

Then you will select "Only the list below" and click on Add button.

You will select Single computer and add 10.32.248.12 and then 10.32.248.252.

If you want whole subnet you can also select  group of computers and  10.30.32.0 and subnet 255.255.255.0 This will allow all computer that start with 10.30.32(.1-.254) to access it.

I would suggest that after restricting the access, test it from a mail server by trying to telnet to port 25 to verify everything is working.

http://www.resortdata.com/Customers/Knowledge/KB-Crystal/KC00003.htm#Restrict%20SMTP%20Connections%20by%20IP%20Address

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Juan OcasioApplication DeveloperAuthor Commented:
naveedb:

Thanks for the replies and the patience.  OK I think I got what you're saying.  So if I want a specific IP, I do not have to put in the subnet?  My spam blocking service gave me an IP and subnet, but I gusee I can just add the IP address?  Correct?

Thanks again,

jocasio
naveedbCommented:
That is correct. The subnet is not used when blocking single host.

If you are receivng spam from multiple hosts withing same subnet, then you may want to block the complete subnet. ISPs tend to do this to punish overseas spam networks.
naveedbCommented:
After reading your original question, Yes, you select "only the list below" and add those two hosts. I am not sure why they provided you with subnet masks.
Juan OcasioApplication DeveloperAuthor Commented:
Cool:

Thanks for your help

jocasio
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.