Rule for Router

I want to configure basic rule or ACL on router so that all outgoing mail traffic goes to our mail server (which is at remote location different country)

What entries should i make on router. So that our IPs does not get listed in Spam blocking sites.
LVL 1
VINOD MORELinux System AnalystAsked:
Who is Participating?
 
Todd GerbertConnect With a Mentor IT ConsultantCommented:
Well, on a PIX

access-list <access-list-name> permit tcp any host <remote-smpt-server-ip> eq smtp
access-list <access-list-name> deny tcp any any eq smtp
access-group <access-list-name> in interface <outside-interface-name>

Or, on a Cisco router:
ip access-list extended <access-list-name>
  permit tcp any <mail-server-ip> 0.0.0.0 eq smtp
  deny tcp any any eq smtp
interface <interface-name>
  ip access-group <access-list-name> in
0
 
Todd GerbertIT ConsultantCommented:
Well, that would probably depend on what kind of router you have.  The one's I'm familiar with don't do that.  The way I would do it is to run an SMTP server on your network, configure that SMTP server to forward all mail to your remote mail server, have all your computers point to 192.168.1.15, and configure the firewall to only allow outbound smtp from this server.
0
 
Alan HardistyCo-OwnerCommented:
If you are concerend about getting blacklisted, then restrict your outbound TCP port 25 traffic to just your mail server (if you have one) and that should stop you getting listed unless you contract a nasty virus that sends out via your server.
If you don't have a mail server, then the above suggestion is a good one.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
VINOD MORELinux System AnalystAuthor Commented:
@ alanhardisty

Ya that's what i want, as we don't have mail server at our location its at remote location, and we use POP3 accounts to access it.

So can you tell me ACL lines i need to configure on router? Cause i dont want blacklisting thing should happen.
0
 
Todd GerbertIT ConsultantCommented:
What kind of router do you have?
0
 
Alan HardistyCo-OwnerCommented:
If you are using SMTP / POP3 from each and every client, then you will need to allow Outbound TCP port 25 for all clients and thus you won't be able to restrict access via the router otherwise your clients will not be able to send any mail.
To make this work, as recommended by tgerbert, setup an SMTP server on one of your servers and then have all your clients use this server as their outbound email server.
That way, you can restrict Iutbound TCP port 25 to ths SMTP server and this should minimise the risk of getting blacklisted.
Your SMTP server should be configured to send to your SMTP server in the remote location.
To setup and SMTP server, please read the following:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e4cf06f5-9a36-474b-ba78-3f287a2b88f2.mspx?mfr=true
In terms of your router - what Make / Model do you have?
0
 
Todd GerbertIT ConsultantCommented:
I'm really not understanding what this has to do with being blacklisted...if you don't normally send mail from your network, only through the SMTP server on a remote network, then what difference does it make even if your local addresses did get blacklisted?

Do you have people on your network using SMTP servers they shouldn't be using?
0
 
sardiskanCommented:
ACL's on routers are used as a "allow/deny" mechanism. You can't forward packets to a specific server based on what service port it is going to with an ACL. You'll need to use a firewall to do port forwarding. The firewall will basically check to see what service port is being requested and will then forward all that traffic to a specific IP.

There is nothing your router can do to stop an IP from getting listed in a blacklist. Blacklisted IP's are a result of a person getting SPAM from your IP and reporting it to the various antispam lists. Just keep your systems clean and you'll have a better chance of not getting listed.
0
 
Alan HardistyCo-OwnerCommented:
tgerbert - If a virus get's onto one of the computers, it will send out spam and will get them blacklisted.  Normal use should be fine, but it is better to tighten up outbound ports to prevent such problems.
0
 
Todd GerbertIT ConsultantCommented:
Well, you could allow outbound SMTP connections to the remote server and deny all others.  This won't automatically identify mail traffic and re-route it to a particular server, but would prevent anyone on your network from sending mail to any other mail server.

Still, if you're sending spam-like mail this'll just result in the remote server getting blacklisted...
0
 
Todd GerbertIT ConsultantCommented:
@alanhardisty,

I get what you're saying, but in reality wouldn't that just have the effect of stopping the virus from sending mail, without interfering with normal mail delivery (since normal mail is delivered to their smart host)?

@vinodmore

Still gonna need to know what make/model of routers and/or firewalls you have in place to help you any further, and ideally if you could post your current config with usernames, passwords and public IP addresses removed.
0
 
Alan HardistyCo-OwnerCommented:
tgerbert - Viruses normally use their own SMTP engines and thus will be able to send out mail regardless of the environment.  The virus writers cannot rely on there being a server or other such useful stuff that they can abuse, so they include their own engine.
This way, if a virus gets into the system, it will be able to send out spam without intervention if all outbound TCP port 25's are open.
0
 
VINOD MORELinux System AnalystAuthor Commented:
Currently i dont have router make and model, i am assuming its entry level router and ACL configuration is some what common.       So i asked.
0
 
Alan HardistyCo-OwnerCommented:
Without your own SMTP server, the router part of the question is mute as there is nothing you would be able to block.
0
 
Alan HardistyCo-OwnerCommented:
True on a PIX, but if it is a basic router, then little can be done.
0
 
VINOD MORELinux System AnalystAuthor Commented:
Why there is requirement for SMTP server, i was thinking it can be directly configured on Router ACL.
0
 
VINOD MORELinux System AnalystAuthor Commented:
@ tgerbert

Thats what i wanted/
0
 
Todd GerbertIT ConsultantCommented:
Assuming your router supports such ACLs, but as alanhardisty points out, that won't be the case if you have a consumer-grade router.  However, if you did have an SMTP server locally it would be easy, even with a low-end router, to deny SMTP services for every IP address on your network EXCEPT your local SMTP server.  Then every computer on your network would need to use the local SMTP server, and the local SMTP server can be configured to forward all mail to the remote SMTP server.

0
 
Alan HardistyCo-OwnerCommented:
That depends on the router.
If it is a bog standard router, then you normally only have open / close port options.  You cannot specify particular routes they can take.
0
 
VINOD MORELinux System AnalystAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.