?
Solved

Rule for Router

Posted on 2009-12-18
20
Medium Priority
?
335 Views
Last Modified: 2012-05-08
I want to configure basic rule or ACL on router so that all outgoing mail traffic goes to our mail server (which is at remote location different country)

What entries should i make on router. So that our IPs does not get listed in Spam blocking sites.
0
Comment
Question by:VINOD MORE
  • 7
  • 7
  • 5
  • +1
20 Comments
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26079611
Well, that would probably depend on what kind of router you have.  The one's I'm familiar with don't do that.  The way I would do it is to run an SMTP server on your network, configure that SMTP server to forward all mail to your remote mail server, have all your computers point to 192.168.1.15, and configure the firewall to only allow outbound smtp from this server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26079815
If you are concerend about getting blacklisted, then restrict your outbound TCP port 25 traffic to just your mail server (if you have one) and that should stop you getting listed unless you contract a nasty virus that sends out via your server.
If you don't have a mail server, then the above suggestion is a good one.
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 26080730
@ alanhardisty

Ya that's what i want, as we don't have mail server at our location its at remote location, and we use POP3 accounts to access it.

So can you tell me ACL lines i need to configure on router? Cause i dont want blacklisting thing should happen.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26080770
What kind of router do you have?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26080805
If you are using SMTP / POP3 from each and every client, then you will need to allow Outbound TCP port 25 for all clients and thus you won't be able to restrict access via the router otherwise your clients will not be able to send any mail.
To make this work, as recommended by tgerbert, setup an SMTP server on one of your servers and then have all your clients use this server as their outbound email server.
That way, you can restrict Iutbound TCP port 25 to ths SMTP server and this should minimise the risk of getting blacklisted.
Your SMTP server should be configured to send to your SMTP server in the remote location.
To setup and SMTP server, please read the following:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e4cf06f5-9a36-474b-ba78-3f287a2b88f2.mspx?mfr=true
In terms of your router - what Make / Model do you have?
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26080847
I'm really not understanding what this has to do with being blacklisted...if you don't normally send mail from your network, only through the SMTP server on a remote network, then what difference does it make even if your local addresses did get blacklisted?

Do you have people on your network using SMTP servers they shouldn't be using?
0
 
LVL 5

Expert Comment

by:sardiskan
ID: 26080899
ACL's on routers are used as a "allow/deny" mechanism. You can't forward packets to a specific server based on what service port it is going to with an ACL. You'll need to use a firewall to do port forwarding. The firewall will basically check to see what service port is being requested and will then forward all that traffic to a specific IP.

There is nothing your router can do to stop an IP from getting listed in a blacklist. Blacklisted IP's are a result of a person getting SPAM from your IP and reporting it to the various antispam lists. Just keep your systems clean and you'll have a better chance of not getting listed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26081022
tgerbert - If a virus get's onto one of the computers, it will send out spam and will get them blacklisted.  Normal use should be fine, but it is better to tighten up outbound ports to prevent such problems.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26081038
Well, you could allow outbound SMTP connections to the remote server and deny all others.  This won't automatically identify mail traffic and re-route it to a particular server, but would prevent anyone on your network from sending mail to any other mail server.

Still, if you're sending spam-like mail this'll just result in the remote server getting blacklisted...
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26081082
@alanhardisty,

I get what you're saying, but in reality wouldn't that just have the effect of stopping the virus from sending mail, without interfering with normal mail delivery (since normal mail is delivered to their smart host)?

@vinodmore

Still gonna need to know what make/model of routers and/or firewalls you have in place to help you any further, and ideally if you could post your current config with usernames, passwords and public IP addresses removed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26081208
tgerbert - Viruses normally use their own SMTP engines and thus will be able to send out mail regardless of the environment.  The virus writers cannot rely on there being a server or other such useful stuff that they can abuse, so they include their own engine.
This way, if a virus gets into the system, it will be able to send out spam without intervention if all outbound TCP port 25's are open.
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 26081216
Currently i dont have router make and model, i am assuming its entry level router and ACL configuration is some what common.       So i asked.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26081231
Without your own SMTP server, the router part of the question is mute as there is nothing you would be able to block.
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 1000 total points
ID: 26081276
Well, on a PIX

access-list <access-list-name> permit tcp any host <remote-smpt-server-ip> eq smtp
access-list <access-list-name> deny tcp any any eq smtp
access-group <access-list-name> in interface <outside-interface-name>

Or, on a Cisco router:
ip access-list extended <access-list-name>
  permit tcp any <mail-server-ip> 0.0.0.0 eq smtp
  deny tcp any any eq smtp
interface <interface-name>
  ip access-group <access-list-name> in
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26081283
True on a PIX, but if it is a basic router, then little can be done.
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 26081294
Why there is requirement for SMTP server, i was thinking it can be directly configured on Router ACL.
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 26081312
@ tgerbert

Thats what i wanted/
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 26081327
Assuming your router supports such ACLs, but as alanhardisty points out, that won't be the case if you have a consumer-grade router.  However, if you did have an SMTP server locally it would be easy, even with a low-end router, to deny SMTP services for every IP address on your network EXCEPT your local SMTP server.  Then every computer on your network would need to use the local SMTP server, and the local SMTP server can be configured to forward all mail to the remote SMTP server.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26081333
That depends on the router.
If it is a bog standard router, then you normally only have open / close port options.  You cannot specify particular routes they can take.
0
 
LVL 1

Author Closing Comment

by:VINOD MORE
ID: 31667709
Thanks
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question