Restrict Inbound SMTP traffic to certain IP addresses

Posted on 2007-07-30
Last Modified: 2013-11-30
I use a third party Spam filter / email archive company.  All of our inbound and outbound traffic goes through this companies servers.  Our MX record points to them, they filter and archive and then send the mail to us.  In their setup instructions, it states that I need to lock down my firewall to restrict inbound SMTP traffict to ONLY their server's IP addresses/

Excerpt from their setup instructions -
"Inbound SMTP Restrictions:
Please wait 72 hours after changing your MX record
to allow full propagation across the Internet.
Next, restrict inbound port-25 SMTP traffic on your
firewall or mail server(s) to only accept mail from the
FrontBridge data centers as shown below."

and then it lists their IP addresses to use.

The problem is, I can't find anyone who knows how to do that.  I have a Cisco Pix 515 firewall.  Any suggestions would be appreciated. We are running MS Exchange 2003.

Question by:markcondiff
    LVL 8

    Accepted Solution

    Its pretty straight forward.  

    1. Open the exchange system manager.
    2. Click the plus next to servers
    3. Click the plus next to your server.
    4. Click the plus next to protocols
    5. Click the plus next to the SMTP protocol.
    6. Right click on the default smtp virtual server and click properties.
    7. On the second tab (access), click the Connections button
    8. Set the option button to "Only the list below"
    9. Click Add and Add the networks the provider has given you.
    10.  If any local servers relay through this box or any on site systems use pop to communication, specify the local network.
    11.  Click Ok and Ok and you are done!

    One caveat that your provider may not have mentioned.  This will disable access by remote pop users.  One trick to get around that is to not lock the domain down in terms of connection, but instead to rename the ip in the dns from to or something else.  Most spammers try delivering to the mail. address and will ignore other names.  That way your remote users just change their smtp server address.  

    Expert Comment

    I have to do the same thing... how would I enter in these ip address values with the "/25"


    Expert Comment

    Sorry .... I discovered that /25 represented the subnet mask... please ignore previous post./
    LVL 3

    Expert Comment

    OK. So that's the way around remote users with iMap, POP or Outlook over RPC accounts....

    BUT how does this affect OWA? I am using a hosted filter and a lot of spam is still getting through. I need to lock it down the SMTP connector without locking anyone out. (?)

    My users browse to (and /remote for RWP).Will this cause trouble or do I have to reconfigure IIS as well?
    LVL 3

    Expert Comment

    Not to mention all of the cell phones. It's a war of attrition.

    Expert Comment

    I have to do this EXACT same thing and am very familiar with doing it in Exchange 2003, but I am using Exchange 2010 with a Hub Transport.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now