PIX and SMTP

Unanswered Question
Jan 2nd, 2008

I've inherited the IT duties at my office, but don't have a whole lot of experience in this area.

Currently our network is setup such that our webserver catches all incoming SMTP traffic and relays it to the exchange server. Additionally the exchange server sends all it's outgoing SMTP to the webserver where it's relayed out.

Existing in the PIX is a rule which allows this:

access-list acl_dmz permit tcp host webserver host 192.168.1.123 eq smtp

I'm trying to install a spam filter between our webserver which is on the DMZ side of our firewall, and our exchange server which is on the secure side. The spam filter is also installed on the secure side, so I added a rule that will allow SMTP traffic to route to the spam filter:

access-list acl_dmz permit tcp host webserver host 192.168.1.124 eq smtp

The problem is that when I change the IP on the mail relay from exchange (192.168.1.123) to the spam filter (192.168.1.124), no mail gets to it.

I know that mail from the spam filter gets to exchange server correctly, but nothing from the webserver is getting to the spam filter.

Is there anything that I'm missing?

Thanks,

Ryan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Fri, 01/04/2008 - 08:18

First off I would change anything using the web server as a relay, you are asking for a headache. I would recommend using your service provider as the relay point, this will also allow you to have store and forward set-up in case your exchange server goes down for any reason or you have maintenance that is needed to be performed. As far as the spam filter I am not sure what it is suppose to do in the set-up, I understand filter spam, what I am talking about is it passive and the just allows mail to pass through or is it a gateway of sorts for exchange?

For example, the relay for mail is the webserver

mail ---> 192.168.1.xx

this ip is in the DMX

is the spam filter the gateway now

mail ---> spam filter IP ---> outbound mail

In the set-up above I would ask your provider to be the relay, this will also allow you to not have to worry about someone relaying mail through your network, spammers sending mail out of your network which could result in you getting black listed on the internet. You will see significant network performance as well and your mail server might thank you too!

gitargr82 Fri, 01/04/2008 - 09:55

I'm not sure what you mean by using the provider as a relay, as we own our domain...

I'm not super worried about spammers using our mail relay as I only allow mail to be relayed from a specific IP address, our exchange server. I would like to change the firewall to send all incoming SMTP traffic straight to the spam filter instead of the webserver, but I don't really know the commands to accomplish this.

The existing rules look like this:

: allows webserver to receive SMTP traffic

access-list acl_dmz permit tcp host 172.16.0.2 any eq smtp

: allows webserver to relay SMTP to exchange

access-list acl_dmz permit tcp host webserver host 192.168.1.123 eq smtp

: allows incoming SMTP traffic to webserver

access-list acl_out permit tcp any host webserver eq smtp

The spam filter is designed to catch all messages then pass the good ones on to exchange. I guess I would call it a gateway, as it only lets ham messages pass through, and quarantines any spam and/or viruses.

I got it working temporarily by putting the spam filter on the DMZ side of the network, but still using the webserver as a relay, but I'd like to bypass it altogether and route mail directly to the spam filter.

Thanks,

~Ryan

Rick Morris Fri, 01/04/2008 - 10:06

You can own your own domain and have someone else be the relay, it is based on the DNS entry where the MX record is pointing to. Then what happens is the provider does a store and forward of all mail to you. You then point your outgoing mail to the server provided by the ISP. This is kind of like a middle man approach. This is just one option not the best but could help in this situation.

As far as pointing the SMTP, in the firewall change the entry for the webserver to the spam appliance, then make sure that all devices then point to the IP of the spam appliance and not the webserver. Also make sure that public DNS is set up for incoming mail to point to the spam filter now. It might be just as easy to take the public IP and build a static nat to point to the spam filter.

gitargr82 Fri, 01/04/2008 - 10:22

Heh, about 90% of all that sounds like its over my head. I'm thinkin' I need to either convince management to send me to a CCNA course, or just hire an outside IT firm to do all this.

Thanks for your input, looks like I'll have to find some tutorials on goole now...

~Ryan

Rick Morris Fri, 01/04/2008 - 10:26

let's try to walk through this together.

Attach your config.

I don't need everything just the acl for the all mail traffic including smtp, the acl for the dmz specifically the webserver that is the relay, and the static nat table.

sh run | i static

sh access-list

sh run | i smtp

sh route

this will help get started

I will also need a brief overview of how mail works in your set-up from incoming and outgoing.

gitargr82 Fri, 01/04/2008 - 11:10

Here's the config:

name *.*.*.131 webserver

name *.*.*.132 exchserver

name *.*.*.133 labcamera1

access-list acl_dmz permit tcp host 172.16.0.2 any eq smtp

access-list acl_dmz permit tcp host webserver host 192.168.1.123 eq smtp

access-list acl_dmz permit udp host webserver host 192.168.1.123 eq domain

access-list acl_dmz permit tcp host webserver host 192.168.1.123 eq domain

access-list acl_dmz permit tcp host webserver host 192.168.1.122 range 1025 1075

access-list acl_dmz permit tcp host webserver host 192.168.1.122 eq 10000

access-list acl_dmz permit tcp host webserver host 192.168.1.122 range 7991 7992

access-list acl_dmz permit tcp host webserver host 192.168.1.82 eq www

access-list acl_dmz permit tcp host webserver host 192.168.1.124 eq smtp

access-list acl_dmz deny ip host webserver 192.168.1.0 255.255.255.0

access-list acl_dmz permit ip any any

access-list acl_out permit tcp any host webserver eq www

access-list acl_out permit tcp any host webserver eq ftp

access-list acl_out permit icmp any host webserver echo

access-list acl_out permit tcp any host webserver eq smtp

access-list acl_out permit gre any any

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit tcp any host exchserver eq www

access-list acl_out permit tcp any host exchserver eq 3389

access-list acl_out permit tcp any host labcamera1 eq www

access-list acl_out deny ip any any

access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 90 permit ip 10.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

...

ip address outside *.*.*.130 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 172.16.0.1 255.255.0.0

...

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) webserver 172.16.0.2 255.255.255.255

static (inside,dmz) 192.168.1.123 192.168.1.123 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.122 192.168.1.122 netmask 255.255.255.255 0 0

static (dmz,outside) webserver 172.16.0.2 netmask 255.255.255.255 0 0

static (inside,outside) *.*.*.150 192.168.1.90 netmask 255.255.255.255 0 0

static (inside,outside) *.*.*.151 192.168.1.91 netmask 255.255.255.255 0 0

static (inside,outside) *.*.*.152 192.168.1.92 netmask 255.255.255.255 0 0

static (inside,outside) *.*.*.153 192.168.1.93 netmask 255.255.255.255 0 0

static (inside,outside) *.*.*.154 192.168.1.94 netmask 255.255.255.255 0 0

static (inside,outside) exchserver 192.168.1.123 netmask 255.255.255.255 0 0

static (inside,outside) labcamera1 192.168.1.82 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 *.*.*.129 1

route inside 10.0.0.0 255.255.0.0 192.168.1.126 1

That's probably way more than you asked for. *.*.* is our public IP, which I've removed.

192.168.1.123 is the domain controller/exchange/dns/dhcp server.

172.16.0.2 is the dmz address for the webserver.

192.168.1.126 is a router which is the gateway for all computers on our inside network.

To be honest, I'm not 100% sure how incoming mail is set up. It LOOKS like the firewall is routing all SMTP traffic to the webserver. All I know is that once it gets to our webserver, which has a virtual SMTP server, it is then relayed to exchange.

Outgoing mail comes from exchange and is routed to the virtual SMTP on the webserver. Only the exchange server is allowed to use this relay for outgoing mail.

Thanks again, and let me know if you need any clarification.

~Ryan

Rick Morris Fri, 01/04/2008 - 11:26

ok...this is what I think is happening.

Mail is coming into your network via a public IP

mail.companyname.com MX

which is then sent to the webserver and then sent to the exchserver, does that sound right?

If this is the case then you can do a couple of things.

1) Change the DNS record to point to the new IP address you set up, public to private NAT, build an ACL for SMTP and any other protocol you need.

2) Change the static entry for the public IP to the new private IP for the spam filter if that is going to be the relay point. *We use a PGP server and this is what we have sitting inline, the PGP server will pass through the mail.

I would recommend changing the static first since you control this and it takes the least amount of time to change as well as put back if there are any issues. I would build the ACL first then change the NAT. If this works you could put the NAT back the way it was and change the MX record in DNS. It is really up to you, but test test test!!!!

To keep with the same theme as above create an alias and call mail_relay or spam_filter or what ever you want to call it then mimic the same acl above just make sure it is not in the dmz acl since it will no longer be used for traffic flow for this smtp relay. Place in the acl where the data flow will be.

What I have done in the past to simplify the static is used an ACL in the command line

static (i,o) access-list MAIL_RELAY

then built an ACL and added everything in there. This keeps it more organized when looking through the lines and lines of code.

gitargr82 Fri, 01/04/2008 - 12:15

ok...this is what I think is happening.

Mail is coming into your network via a public IP

mail.companyname.com MX

I'm looking at the records on the DNS server, and under Mail Exchanger (is this what you mean by MX?) is the exchange server IP. Under the record "mail" is an alias for "ourdomain.com." Would this be the record that is routing the mail?

~Ryan

Rick Morris Fri, 01/04/2008 - 12:19

dns entry:

companydomain.com

-mail A

-www A

-anythingelse A

This is the microsoft way

you could set up an MX record which is set for mail exchange but it is not needed, as long as the world knows where to send mail and has an A record set up. You can also have ptr records or cname records which point to a common IP.

Your incoming mail, what does it point to, exchange or webserver. My guess is because the webserver is the relay point that the IP of the webserver is the IP in DNS.

Actions

This Discussion