Solved

How to set up rules so Exchange only receives mails from MxLogic servers?

Posted on 2011-03-22
11
929 Views
Last Modified: 2012-05-11
Hi Experts,

We use McAfee's MxLogic email protection to have them filter our mails before delivered to our Exchange server. The first couple weeks, it did a really good job. But later, junk emails probably figure out how to send emails directly to our Exchange server so now we need to lock down our Exchange server or set up firewall rules to ensure that only filtered mail from McAfee will be delivered to our Exchange server.
Can you tell me how to do that in our ASA?
 
0
Comment
Question by:Castlewood
  • 4
  • 4
  • 3
11 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 35189601
Setup an in bound acl that only accepts mail from trustes sources. You probably have a rule now to accept smtp from "any"

Change this:
 access-list outside_access_in permit tcp any host a.b.c.d eq 25

To this:
 access-list outside_access_in permit tcp host <mxlogic> host a.b.c.d eq 25
 no access-list outside_access_in permit tcp any host a.b.c.d eq 25

Done.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 250 total points
ID: 35189612
Setup an ACL on your outside interface so only approved IPs can send traffic inbound to port 25 SMTP.  

You should already have an ACL on the outside, so you just need to add a few lines to it.  


access-list acl_out extended permit tcp host <ip of MxLogic> host <your email server public ip> eq smtp
access-list acl_out extended permit tcp host <ip2 of MxLogic> host <your email server public ip> eq smtp
access-list acl_out extended deny tcp any host <your email server public ip> eq smtp

This will allow the MxLogic server to speak with your email's public ip, then deny all other hosts.  

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35189616
Also, make sure you only have one MX record for your domain, and that it points to MXLogic and not to your own public IP address a.b.c.d. You may have a secondary MX record that goes straight to you and that is where spammers will always hit first. They don't go to the primary MX host, they go for the second or third.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 79

Expert Comment

by:lrmoore
ID: 35189625
We must have been typing at the same time, Mike!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35189660
Yep - I think so.   Wouldn't be the 1st time.

And I was about to add that part about the 2nd MX record also.     Good call.
0
 

Author Comment

by:Castlewood
ID: 35190029
Thank you for your prompt reply. You guys are awesome.
One thing though, we have some iPads/iPhones directly connecting to our Exchange server for getting emails. Do they use SMTP? Would this rule block those iPads users from accessing our Exchange server?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35190202
Depends. If they use OWA, or direct push then should be no problem. If they use POP3, then maybe unless you set them up to use a different outgoing smtp server or require authentication. Or have them use the VPN to access Exchange.
We might need some Exchange expertise to pop in . . .  
0
 

Author Comment

by:Castlewood
ID: 35190685
Mike,
in your commands, you have the deny command:
access-list acl_out extended deny tcp any host <your email server public ip> eq smtp

Would this deny command void the two Permit commands and block all smtp traffic from accessing to my Exchange server ?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35190815
Access lists are evaluated from the top down, as soon as the ACL finds a match, the processing stops.   So the allowed servers would match (traffic allowed) and the ACL never even evaluated the Deny statement.    The ACL as a whole will allow your mxLogic boxes and deny all else.  

>>some iPads/iPhones directly...
Normally, these devices use EWS to get mail from exchange over SSL.   I would really discourage you from opening POP ports into your exchange when you have OWA and EWS as an available and more secure alternative.
0
 

Author Closing Comment

by:Castlewood
ID: 35200557
I tested and found iPad has no issue receiving from my 2003 Exchange. iPad got to be using different protocol.
0
 

Author Comment

by:Castlewood
ID: 35201457
I tested and found iPad has no issue receiving from my 2003 Exchange. iPad got to be using different protocol. BUT cannot send out since iPad use SMTP to send emails.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adding VPN user with Cisco RV110W changes IP address 7 36
Cisco 5508 controller parsing error 4 58
ASA Tunnel 18 29
Cisco 5508 WLC software upgrade 2 31
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question