Prevent smtp from all IPs except email servers

Unanswered Question
Nov 20th, 2008

How can I configure our ASA 5510 ver. 7.2(2) to prevent all smtp traffic except from our email servers (2 of them). We want to make sure that a possible virus would not be able to spam out email and then have our IP Address blacklisted. All incoming email is directed to our Barracuda Spam filter first and then sent to our email servers. The spam filter is behind the firewall. All outgoing email will also be directed through the Barracuda in the future. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
garyappold Thu, 11/20/2008 - 06:49

Clarification: We want to stop all OUTGOING Smtp traffic from all ip addresses except the email servers.

Collin Clark Thu, 11/20/2008 - 06:49

In your ACL (outbound) permit the email servers and deny everything else. Assume your mail servers are & 6.

access-list INSIDE_OUT extended permit tcp host any eq smtp

access-list INSIDE_OUT extended permit tcp host any eq smtp

access-list INSIDE_OUT extended deny tcp any any eq smtp

Hope that helps.

garyappold Thu, 11/20/2008 - 07:38

Thanks Collin, this is working.

I tried something else with horrible results.


Collin Clark Thu, 11/20/2008 - 07:41

Just remember that the order is very important. Glad to hear it's working!

krisduckworth Thu, 06/18/2009 - 10:34

Please help me understand, if these ACL's are set for outbound filtering, this would only allow these two servers to communicate with any. If I have workstations that are using pop email separate and external to these smtp servers they will be denied 100% unless I ad their host IP as well?

Collin Clark Thu, 06/18/2009 - 10:44

In the above example we are permitting the two internal mail servers to send email out via SMTP and denying the users to send directly out (prevents spamming). If you have some clients that retrieve POP3 you can allow that, but typically they send email via SMTP. You can permit this "safely". Let's say that the users POP3 incoming server is and their outoging SMTP server is Create an ACL that allows POP3 and allows some SMTP but blocks the rest. THe network is your internal LAN.

access-list extended permit tcp host eq pop3

access-list extended permit tcp host eq smtp

access-list extended deny tcp any eq smtp

Now users can get POP3 email, send email via the approved SMTP server only and are denied to any other SMTP servers.


This Discussion