×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Restricting SMTP inbound traffic

Unanswered Question
Mar 17th, 2012
User Badges:

I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:


mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service


I am thinking an ACL would fit the bill here, but unsure of how to implement.


Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vasileios Boulo... Sat, 03/17/2012 - 15:18
User Badges:
  • Silver, 250 points or more

Hi Stephen,


Please correct me if I misunderstood your setup.

You want to permit only the mail service traffic from your outside (WAN) interface of your 1811 router to your inside (LAN) interface.

In this case you can create the next extended access-list


ip access list extended filter                         ->the name of the access-list

permit tcp host "public IP" host 10.0.10.2 eq 25 -> you allow only  the smtp traffic from public IP to 10.0.10.2

deny ip any any


Then you have to apply this access-list to the WAN interface

interface fa0

ip access-group filter in


Hope that helps

Vasilis

sbrown6079 Sat, 03/17/2012 - 17:19
User Badges:

That makes sense to me, but does not appear to be working. This is what I ended up with for the ACL:


Extended IP access list smtp

    10 permit tcp host 207.210.234.37 host 10.0.10.2 eq smtp

    20 permit tcp host 207.200.28.37 host 10.0.10.2 eq smtp

    30 deny ip any any (1234 matches)


The 207.210.234.37 and 207.200.28.37 are the IP's of the mail filtering service. As a test I logged into another remote server and was able to telnet to port 25, I expected it to be denied? I also applied the ACL to fa0 inbound:


Inbound  access list is SMTP


And the only other thing I'll mention is that I have a static NAT entry for this as well (for inbound traffic):

ip nat inside source static tcp 10.0.10.2 25 my.public.ip 25 extendable

Vasileios Boulo... Sun, 03/18/2012 - 01:55
User Badges:
  • Silver, 250 points or more

You can easily find the traffic that is denied in order to modify then you Access-list


remove the entry 30 and add the next


conf t

ip access-list extended smtp

no 30


and add the next command

100 deny ip any any log   -> 100 is the sequence number in you access-list ...should be the last entry


Then check the logs ( show logging) and you can easily find the steams that should be permited but are denied in your access-list.

Then modify your access-list according to this info.


PS: maybe you need to permit the next entries too



15 permit tcp host 207.210.234.37 eq smtp host 10.0.10.2

25 permit tcp host 207.200.28.37 eq smtp host 10.0.10.2













Actions

This Discussion

Related Content