configure juniper 5gt for outbound smtp

Posted on 2008-11-16
Last Modified: 2013-11-30
hi there

we have a Netscreen 5GT and i want to configure the firewall as per our companies best practise.

we have an exchange server which obviously needs inbound and outbound port 25 traffic but I want to ensure no other machine in our network can send smtp traffic (to prevent a machine becoming a spam host).

Soo here's my config

Router is on
Exchange is on
All other machines in DHCP scope are below this so I want this rule to apply to

Also from are our other servers that don't require SMTP either.

It's a fairly well established network and the firewall was configured by a former tech.  Whilst I love playing, I don't really have a lot of time so if anybody knows how I can configure the rules quickly that would be great.

Question by:makingithappen
    LVL 32

    Expert Comment

    You haven't mentioned about the public ip that you want to use.

    Check this out (which I wrote for this kinda purpose) and see if it helps. If you have any further questions, please post it.


    Accepted Solution

    Hi Rajesh

    I didn't find the guideline too easy for me as a bit of a layman so I practised and f'd around a bit until I got it right.  For those out there who want to do the same here is what I did.

    I opened the Policies configuration page on the Juniper 5GT:

    If you're new to this, you need to know that you are creating a Trust to Untrust Rules for the first 2 and Untrust to Trust for the last.  This works a treat for us now.

    Also if you've been blacklisted by spamhaus or the CBL it's a good idea to do this ASAP and also check and ensure your reverse DNS is correct if you're running a mail server.  No doubt there is an article here on this somewhere.

    Here are the rules (in this order)

    1.      ALLOW outbound traffic from port 25 to the Internet from Server

    Source Address = Server
    Destination Address = Any
    Service = SMTP
    Action = Permit
    Turn Logging ON

    2.      Deny outbound traffic from Port 25 to the Internet for EVERYONE

    Source Address = Any
    Destination Address = Any
    Service = SMTP
    Action = Deny
    Turn Logging ON

    3.      Allow inbound traffic from port 25 to the Server

    Source Address = Any
    Destination Address = SERVER
    Service = SMTP
    Action = Permit
    Turn Logging ON

    hope this helps someone out.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now