Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

mail server security

Unanswered Question
May 8th, 2003
User Badges:

How do I stop outside telnet to port 25 of a mail server. I am trying to prevent anyone from telnetting from outside and run the commands that mailguard does not block, ie. HELO ME, MAIL TO, RCPT TO, etc. Of course denying inbound telnet to the gateway router or firewall does not work. Using TCP established access-list is not an option either.

Thanks for your input.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I don't want to be insulting, but you need to read the RFCs for SMTP. The commands you describe are how internet email gets transferred. If you don't want to allow those commands, then you don't want to receive internet email. You aren't really allowing telnet to port 25. SMTP is an ascii protocol - human admins can make an ascii connection via telnet and debug servers by entering the same commands that mail software would. HTTP, POP, IMAP, LDAP are all similar.

I presume you are using PIX, get another Mail-Server and let it acting as a Mail-Relay server for incoming SMTP, configure your outgoing mail server without statically mapped IP, like your other Natted inside clients, so the outgoing message will go out without having a problem, ask your provider to allow the IP of your PAT for your outgoing messages.

Add an entry in your domain with the IP of Mail relay-server with MX for incoming mail.

You need to create an static entry for mail relay server with an access list to allow (Domain/SMTP).

This way no one can telnet/ping your outgoing smtp at all.

if you need any further help send me a message on [email protected]



This Discussion