Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
4
Replies

Configuring for third party spam filtering.

chrisbreyer
Level 1
Level 1

‎06-28-2006 01:26 PM - edited ‎03-09-2019 03:26 PM

I have a Cisco Pix 4.2.(3) protecting a GroupWise mail server. I recently signed up with a company called Postini for spam filtering and want to close all smtp traffic to my server with the exception of Postini's address ranges, and have two questions.

1) Do I need to turn off the fixup command for port 25 in order to deny general access to my mail server?

2) Postini lists a range of addresses they use (i.e. 64.18.0.0 - 64.18.15.255 with a netmask of 255.255.240.0 & 207.126.144.0 - 207.126.159.255 with a netmask of 255.255.240.0). I imagine I just need to create a conduit permit for this range on port 25 for my server's ip address, but I can't seem to find the appropriate syntax. Does anyone know the syntax I should be using?

Thank you,

Chris

Labels:
0 Helpful
4 Replies 4

grant.maynard
Level 4
Level 4

‎06-29-2006 04:00 AM

PIX 4.2(3) ? Wow.

1. No, fixup is an app layer inspection, it just looks at the SMTP commands and only allows the key ones. But some mail servers do not like it. Leave it on unless there's a problem.

2. Yes, good ol' conduits. Config guide at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_42/pix42cfg/index.htm

0 Helpful

chrisbreyer
Level 1
Level 1
In response to grant.maynard

‎06-29-2006 08:31 AM

Thank you for the fixup information. As for the conduit command, I spent quite a bit of time with the manual (and Google) before posting, but couldn't realize or come across the correct syntax, especially on how to properly enter the range of addresses to permit (e.g. 64.18.0.0 through 64.18.15.255). While my company's firewall might be ancient, I'm pretty new to this, and appreciate any further advice you might be able to offer.

Thank you again,

Chris

0 Helpful

grant.maynard
Level 4
Level 4
In response to chrisbreyer

‎06-30-2006 03:52 AM

static (inside, outside) mail_server_public_ip mail_server_internal_ip

conduit permit tcp host mail_server_public_ip eq 25 64.18.0.0 255.255.240.0

By default, PIX Firewall restricts all access to mail servers to RFC 821 section 4.5.1 commands of DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET. This occurs via the Mail Guard service which is set with the following default configuration command:

fixup protocol smtp 25

You should consider upgrading to v7 for the new features and easier config. You'd have to check your DRAM and flash for that.

0 Helpful

chrisbreyer
Level 1
Level 1
In response to grant.maynard

‎07-03-2006 06:26 AM

That was exactly what I needed. Many thanks for your help. Whenever I get better at this, I'll do the same for someone else some day.

- Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents