We have some issues with emails and the domain gets blacklisted. I am thinking if there is some kind of virus on some computers which may be using port 25 to send smtp traffic. I was wondering if there is any way to configure the PIX for it to accept smtp traffic only from the mail servers and block any kind of smtp traffic from individual PCs. This is all on the LAN. I thought of creating ACLs on inside interface but I may have to create multiple ACLs and hard to manage.
And is there any way on the PIX to see the host IP or MAC which may be sending lot of SMTP traffic?
You can use ACL to restrict only your e-mail server to sent traffic destined to tcp port 25 and block every one else.
access-l inside-acl permit tcp host x.x.x.x any eq 25
access-l inside-acl deny tcp any any eq 25
access-l inside-acl permit ip any any
The above acl will be applied IN on the inside interface where x.x.x.x is the private/inside IP address of your e-mail server.
Same thing can be done on the outside acl.
access-l outside-acl permit tcp any host y.y.y.y eq 25
meaning only y.y.y.y which is the translated/public address of the e-mail server.
You cannot use MAC address to block on a PIX/ASA/FWSM.