We help IT Professionals succeed at work.

Restrict SMTP port 25 (inbound mail) to specific source ip range - PIX 506E

dschef
dschef asked
on
1,089 Views
Last Modified: 2012-05-08
I want to restrict inbound mail to my Exchange server (10.0.0.10) so that only mail from our Postini mail filter service can get through port 25. The Postini range is 64.18.0.0 - 64.18.240.0. My PIX ip address is 70.141.89.###. I've read a few existing Q&A's but I can't be sure how to apply the info directly to my situation.

Here's the section of my current PIX config that contains the access-list lines:

access-list outside_access_in permit tcp any host 70.141.89.### eq 123
access-list outside_access_in permit tcp any host 10.0.0.15 eq pptp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any host 70.141.89.### eq 15353
access-list outside_access_in permit tcp any host 70.141.89.### eq 37
access-list outside_access_in permit udp any host 10.0.0.15 eq 1723
access-list outside_access_in permit gre interface outside any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 70.141.89.### eq pptp
access-list outside_access_in permit gre any host 70.141.89.###
access-list outside_access_in permit tcp any interface outside eq imap4
access-list outside_access_in permit tcp any host 70.141.89.### eq smtp
access-list outside_access_in permit tcp any host 70.141.89.### eq www
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl remark VPNintoRoscoe
access-list inside_outbound_nat0_acl permit ip any interface outside
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_240 permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list outside_cryptomap_100 permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list outside_cryptomap_140 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list outside_cryptomap_300 permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_280 permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
icmp permit any inside

Can you help me create the list of commands that I need to enter into the running config?

THX
Mike
Comment
Watch Question

Adding the following lines to your 'outside_access_in' ACL should do the trick for you...


access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 host 70.141.89.x eq 25
access-list outside_access_in permit tcp any any 25

The first line allows SMTP only from Postini's range which I verified to only your mail server at 70.141.89.x.

The second line will block all other SMTP connections.  You can add the word 'log' at the end if you would like to receive a log notification any time a SMTP connection is blocked from a non-Postini source.

Hope this helps...

Mike
Oops - forgot the 'eq' on the second line - sorry!

access-list outside_access_in permit tcp any any eq 25

Author

Commented:
Thanks for the quick response.
Here are a few lines that I interpreted from previous reading:

no access-list outside_access_in

 <Reapply the initial entries>
access-list outside_access_in permit tcp any host 70.141.89.x eq www
 
access-list outside_access_in deny ip any host 70.141.89.x

 <allow incoming mail from the Postini ip range>
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 host 70.141.89.x eq smtp

  <deny all other incoming mail>
access-list outside_access_in deny tcp any host 70.141.89.x eq smtp
access-list outside_access_in permit ip any any

 <reapply the access-list to the interface>
access-group outside_access_in in interface outside

As you can see, there are some differences and I'm a bit uneasy making the change because it affects over 200 users.
What do you think?
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Good answer(s) - easy for me to follow and understand.

I made the entries, tested inbound mail from three different sources. and all is good.

Thanks, Mike
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.