• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 182
  • Last Modified:

Restricting SMTP to specific external IP addresses using ISA Server 2000

Hey all:

My company has a external spam filtering service and just recently they asked that all of their customers lock down SMTP.  What I need to do is block SMTP requests coming externally except for the IP addresses provided by my service provider.

So for example, if  ihave to only allow requests on port 25 from the follwoing external ip addresses only, how would I do this:

10.32.248.12 subnet 255.255.255.248

10.32.248.252 subnet 255.255.255.248

Note the IPs are just for example purposes

Thanks

jocasio
0
Juan Ocasio
Asked:
Juan Ocasio
  • 6
  • 6
  • 3
1 Solution
 
Cyclops3590Commented:
what type of firewall do you have.  its really just a syntax question there, but no matter what you do is similar to the following

allow 10.32.248.12 255.255.255.248 to Mail Server for tcp 25
allow 10.32.248.252 255.255.255.248 to Mail Server for tcp 25
deny all to Mail Server for tcp 25

must be in that order to.  this way the firewall will evaluate the allow statements to see if they match first, then if they don't match all other requests on port 25/tcp will be denied to the mail server.
0
 
Cyclops3590Commented:
btw, I can help if you have a cisco firewall or use IPTables.  Most other firewalls have a gui interface and should be easy to configure, just need to make sure the rules are in the correct order.
0
 
Cyclops3590Commented:
ok, helps if i read the question header...duh.  I've never used ISA before, but the idea is the same.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Juan OcasioAuthor Commented:
Thanks Cyclops3590:

Yeah, I should have put that in the body as well.

If anyone else had suggestions or more importantly, the directions on how to do this with ISA Server 2000, I'd greatly appreciate a reply,

Thanks again,

jocasio
0
 
naveedbCommented:
Where is your SMTP, is it in IIS? If so, you can open MMC for IIS, go into properties/access for SMTP Server. Then under connection control specify the IP addresses which are allowed to access the server.
0
 
Juan OcasioAuthor Commented:
I have Exchange Server 2000.  I believe I have to set up rules in ISA Server...

jocasio
0
 
naveedbCommented:
No, you can do it with Exchange also. Go into Server/SMTP Server properties and you should see Access Tab.
0
 
Juan OcasioAuthor Commented:
Thanks, but how do I do this?

jocasio
0
 
naveedbCommented:
Open System Manager

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/086653b8-2782-4246-a9f5-b2483f328401.mspx?mfr=true

If you see Administrative Group, click on that and then click on Servers, else just click on servers

You should see you defaul SMTP server

Right Click on it, and click on properties

Then select Access Tab, and click on Connection Control to add the IP address(es)
0
 
Juan OcasioAuthor Commented:
So the connection control controls IP addresses accessing from the outside?  I thought this was for which computers can access from the inside.  Can you be more specific on how I would accomplish this?  Sorry for all of the baby steps I need to take, but I've never done this before and I don't want to mess things up...

Thanks,

jocasio
0
 
naveedbCommented:
It is for both internal and external. If you are doing nat, you will need the translated address.

Start/Programs/Exchange/System Manager/Servers/Protocol/Default SMTP Server. Right click prpoerties then select Access Tab.

After you have clicked on the connection button, you have two option. Either you can allow certain hosts and deny all others "Only the List Below" or the other way, where you only block certain IP Addresses "All except the list below".

Assuming you only want access to following IP Addresses

10.32.248.12 subnet 255.255.255.248

10.32.248.252 subnet 255.255.255.248

Then you will select "Only the list below" and click on Add button.

You will select Single computer and add 10.32.248.12 and then 10.32.248.252.

If you want whole subnet you can also select  group of computers and  10.30.32.0 and subnet 255.255.255.0 This will allow all computer that start with 10.30.32(.1-.254) to access it.

I would suggest that after restricting the access, test it from a mail server by trying to telnet to port 25 to verify everything is working.

http://www.resortdata.com/Customers/Knowledge/KB-Crystal/KC00003.htm#Restrict%20SMTP%20Connections%20by%20IP%20Address

0
 
Juan OcasioAuthor Commented:
naveedb:

Thanks for the replies and the patience.  OK I think I got what you're saying.  So if I want a specific IP, I do not have to put in the subnet?  My spam blocking service gave me an IP and subnet, but I gusee I can just add the IP address?  Correct?

Thanks again,

jocasio
0
 
naveedbCommented:
That is correct. The subnet is not used when blocking single host.

If you are receivng spam from multiple hosts withing same subnet, then you may want to block the complete subnet. ISPs tend to do this to punish overseas spam networks.
0
 
naveedbCommented:
After reading your original question, Yes, you select "only the list below" and add those two hosts. I am not sure why they provided you with subnet masks.
0
 
Juan OcasioAuthor Commented:
Cool:

Thanks for your help

jocasio
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now