Help Restricting  SMTP traffic

Posted on 2007-07-25
Last Modified: 2010-04-09
How do I restrict SMTP traffic outbound to only a mail server?  We are being blacklisted due to an infected computer.  Apparently this computer is sending out SMTP traffic.  Until I track down the PC, how do I stop this traffic from getting outbound?

We have a 1751 Cisco router.  Here are some configs:

ip domain name junius. .org
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
vpdn-group pppoe
  protocol pppoe
no ftp-server write-enable
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 Organization address x.x.x.x
crypto isakmp identity hostname
crypto isakmp peer address x.x.x.x
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
crypto map aptmp 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set aptset
 match address 103
interface Vif1
 no ip address
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
interface FastEthernet0/0
 ip address 172.x.x.1
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
interface Virtual-PPP1
 no ip address
interface Virtual-Template1
 no ip address
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname
 ppp chap password
 ppp pap sent-username
 crypto map aptmp
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
ip classless
ip route Dialer0
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip access-list extended ipsec
access-list 1 permit 172.x.0.0
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 103 permit ip 172.x.x.0
access-list 130 deny   ip
access-list 130 permit ip any
dialer-list 1 protocol ip permit

route-map nonat permit 10
 match ip address 130
Question by:gdf99
    LVL 79

    Accepted Solution

    access-list 111 permit tcp host any eq 25   <== xxx= your mail server
    access-list 111 deny tcp any any eq 25 log   <== log so you can catch the culprit
    access-list 111 permit ip any any
    interface fast 0/0
     ip access-group 111 in


    Author Comment

    Lrmoore - Is the following line necessary?  I tried to input the following line and router won't accept it.  
    Ip access-group 111 in

    LVL 79

    Expert Comment

    Yes, it is necessary. You have to apply the access-list to the interface. This is an interface config:
    router(config)#interface fast 0/0
    router(config-if)#ip access-group 111 in

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now