I have a Cisco Pix 4.2.(3) protecting a GroupWise mail server. I recently signed up with a company called Postini for spam filtering and want to close all smtp traffic to my server with the exception of Postini's address ranges, and have two questions.
1) Do I need to turn off the fixup command for port 25 in order to deny general access to my mail server?
2) Postini lists a range of addresses they use (i.e. 188.8.131.52 - 184.108.40.206 with a netmask of 255.255.240.0 & 220.127.116.11 - 18.104.22.168 with a netmask of 255.255.240.0). I imagine I just need to create a conduit permit for this range on port 25 for my server's ip address, but I can't seem to find the appropriate syntax. Does anyone know the syntax I should be using?
Thank you for the fixup information. As for the conduit command, I spent quite a bit of time with the manual (and Google) before posting, but couldn't realize or come across the correct syntax, especially on how to properly enter the range of addresses to permit (e.g. 22.214.171.124 through 126.96.36.199). While my company's firewall might be ancient, I'm pretty new to this, and appreciate any further advice you might be able to offer.
By default, PIX Firewall restricts all access to mail servers to RFC 821 section 4.5.1 commands of DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET. This occurs via the Mail Guard service which is set with the following default configuration command:
fixup protocol smtp 25
You should consider upgrading to v7 for the new features and easier config. You'd have to check your DRAM and flash for that.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...