• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1173
  • Last Modified:

configure juniper 5gt for outbound smtp

hi there

we have a Netscreen 5GT and i want to configure the firewall as per our companies best practise.

we have an exchange server which obviously needs inbound and outbound port 25 traffic but I want to ensure no other machine in our network can send smtp traffic (to prevent a machine becoming a spam host).

Soo here's my config

Router is on 192.168.1.253
Exchange is on 192.168.1.210
All other machines in DHCP scope are below this so I want this rule to apply to 192.168.1.1-192.168.1.209.

Also from 192.168.1.211-253 are our other servers that don't require SMTP either.

It's a fairly well established network and the firewall was configured by a former tech.  Whilst I love playing, I don't really have a lot of time so if anybody knows how I can configure the rules quickly that would be great.

Cheers,
0
makingithappen
Asked:
makingithappen
1 Solution
 
rsivanandanCommented:
You haven't mentioned about the public ip that you want to use.

Check this out (which I wrote for this kinda purpose) and see if it helps. If you have any further questions, please post it.

http://www.rsivanandan.com/?p=108

Cheers,
Rajesh
0
 
makingithappenAuthor Commented:
Hi Rajesh

I didn't find the guideline too easy for me as a bit of a layman so I practised and f'd around a bit until I got it right.  For those out there who want to do the same here is what I did.

I opened the Policies configuration page on the Juniper 5GT:

If you're new to this, you need to know that you are creating a Trust to Untrust Rules for the first 2 and Untrust to Trust for the last.  This works a treat for us now.

Also if you've been blacklisted by spamhaus or the CBL it's a good idea to do this ASAP and also check and ensure your reverse DNS is correct if you're running a mail server.  No doubt there is an article here on this somewhere.

Here are the rules (in this order)

1.      ALLOW outbound traffic from port 25 to the Internet from Server

Source Address = Server
Destination Address = Any
Service = SMTP
Action = Permit
Turn Logging ON


2.      Deny outbound traffic from Port 25 to the Internet for EVERYONE

Source Address = Any
Destination Address = Any
Service = SMTP
Action = Deny
Turn Logging ON


3.      Allow inbound traffic from port 25 to the Server

Source Address = Any
Destination Address = SERVER
Service = SMTP
Action = Permit
Turn Logging ON


hope this helps someone out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now