Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
3
Helpful
6
Replies

Prevent smtp from all IPs except email servers

garyappold
Level 1
Level 1

‎11-20-2008 06:43 AM - edited ‎03-11-2019 07:15 AM

How can I configure our ASA 5510 ver. 7.2(2) to prevent all smtp traffic except from our email servers (2 of them). We want to make sure that a possible virus would not be able to spam out email and then have our IP Address blacklisted. All incoming email is directed to our Barracuda Spam filter first and then sent to our email servers. The spam filter is behind the firewall. All outgoing email will also be directed through the Barracuda in the future. Thanks.

Labels:
0 Helpful
6 Replies 6

garyappold
Level 1
Level 1

‎11-20-2008 06:49 AM

Clarification: We want to stop all OUTGOING Smtp traffic from all ip addresses except the email servers.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎11-20-2008 06:49 AM

In your ACL (outbound) permit the email servers and deny everything else. Assume your mail servers are 10.10.10.5 & 6.

access-list INSIDE_OUT extended permit tcp host 10.10.10.5 any eq smtp

access-list INSIDE_OUT extended permit tcp host 10.10.10.6 any eq smtp

access-list INSIDE_OUT extended deny tcp any any eq smtp

Hope that helps.

garyappold
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 07:38 AM

Thanks Collin, this is working.

I tried something else with horrible results.

Gary

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to garyappold

‎11-20-2008 07:41 AM

Just remember that the order is very important. Glad to hear it's working!

0 Helpful

krisduckworth
Level 4
Level 4
In response to Collin Clark

‎06-18-2009 10:34 AM

Please help me understand, if these ACL's are set for outbound filtering, this would only allow these two servers to communicate with any. If I have workstations that are using pop email separate and external to these smtp servers they will be denied 100% unless I ad their host IP as well?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to krisduckworth

‎06-18-2009 10:44 AM

In the above example we are permitting the two internal mail servers to send email out via SMTP and denying the users to send directly out (prevents spamming). If you have some clients that retrieve POP3 you can allow that, but typically they send email via SMTP. You can permit this "safely". Let's say that the users POP3 incoming server is 69.222.73.10 and their outoging SMTP server is 75.50.95.73. Create an ACL that allows POP3 and allows some SMTP but blocks the rest. THe 192.168.1.0 network is your internal LAN.

access-list extended permit tcp 192.168.1.0 255.255.255.0 host 69.222.73.5 eq pop3

access-list extended permit tcp 192.168.1.0 255.255.255.0 host 75.50.95.73 eq smtp

access-list extended deny tcp 192.168.1.0 255.255.255.0 any eq smtp

Now users can get POP3 email, send email via the approved SMTP server only and are denied to any other SMTP servers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card