We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Setting an SMTP connection / IP threshold in ASA and blocking non-complying traffic

eggster34
eggster34 asked
on
Medium Priority
343 Views
Last Modified: 2010-05-18
Hello
I have a 2620 XM connected to an ASA5510 firewall. the ASA has 3 interfaces, one for connecting to the 2620XM (for internet connection.) 1 for DMZ and 1 for the internal network.
I have a mail server behind the DMZ that has SMTP ports open to the public internet.
On some days, I get 150.000 + SMTP connections that are trying to send spam / relay through my server. My anti-spam settings on my mail server detect this and bounce the emails, but the sheer number of connection attempts etc. are a heav load on my server. Is there a way I can set up my ASA but or my 2620XM to monitor connections on a per-ip basis and prevent more than say 25 connections per minute per ip and block the offenders? I understand that I need to set something like a policy for this. Please help ,thanks.
Comment
Watch Question

what kind of mail server do you use? Maybe you can configure your policy there?

ATB
Markus

Author

Commented:
it's merak server. I don't want the traffic to reach the server, though, I'd like to cut it on the perimeter without reaching the dmz.
You can probably try the max connection limit with the tcp intercept for this server.

Check out this link;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732

In there, the '0' is what you want to modify.

Cheers,
Rajesh

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
What value do you think I should set this to?
If the attacker establishes 30 connections and the limit is 30 , can other clients reach the server at all?
This should be a trial and error eggster depends on your load on the server. Also 30 would be much lesser I believe.

Cheers,
Rajesh

Author

Commented:
Any other way to do this? Can I get an IDS sensor for my ASA box that would do something like this?
hmm. Look for the SMTP signatures. I will check as well online (I don't have access to one though)

Cheers,
Rajesh
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.