configure juniper 5gt for outbound smtp

Posted on 2008-11-16
Medium Priority
Last Modified: 2013-11-30
hi there

we have a Netscreen 5GT and i want to configure the firewall as per our companies best practise.

we have an exchange server which obviously needs inbound and outbound port 25 traffic but I want to ensure no other machine in our network can send smtp traffic (to prevent a machine becoming a spam host).

Soo here's my config

Router is on
Exchange is on
All other machines in DHCP scope are below this so I want this rule to apply to

Also from are our other servers that don't require SMTP either.

It's a fairly well established network and the firewall was configured by a former tech.  Whilst I love playing, I don't really have a lot of time so if anybody knows how I can configure the rules quickly that would be great.

Question by:makingithappen
LVL 32

Expert Comment

ID: 22977362
You haven't mentioned about the public ip that you want to use.

Check this out (which I wrote for this kinda purpose) and see if it helps. If you have any further questions, please post it.



Accepted Solution

makingithappen earned 0 total points
ID: 23019361
Hi Rajesh

I didn't find the guideline too easy for me as a bit of a layman so I practised and f'd around a bit until I got it right.  For those out there who want to do the same here is what I did.

I opened the Policies configuration page on the Juniper 5GT:

If you're new to this, you need to know that you are creating a Trust to Untrust Rules for the first 2 and Untrust to Trust for the last.  This works a treat for us now.

Also if you've been blacklisted by spamhaus or the CBL it's a good idea to do this ASAP and also check and ensure your reverse DNS is correct if you're running a mail server.  No doubt there is an article here on this somewhere.

Here are the rules (in this order)

1.      ALLOW outbound traffic from port 25 to the Internet from Server

Source Address = Server
Destination Address = Any
Service = SMTP
Action = Permit
Turn Logging ON

2.      Deny outbound traffic from Port 25 to the Internet for EVERYONE

Source Address = Any
Destination Address = Any
Service = SMTP
Action = Deny
Turn Logging ON

3.      Allow inbound traffic from port 25 to the Server

Source Address = Any
Destination Address = SERVER
Service = SMTP
Action = Permit
Turn Logging ON

hope this helps someone out.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question