Cisco Support Community
Community Member

Configuring for third party spam filtering.

I have a Cisco Pix 4.2.(3) protecting a GroupWise mail server. I recently signed up with a company called Postini for spam filtering and want to close all smtp traffic to my server with the exception of Postini's address ranges, and have two questions.

1) Do I need to turn off the fixup command for port 25 in order to deny general access to my mail server?

2) Postini lists a range of addresses they use (i.e. - with a netmask of & - with a netmask of I imagine I just need to create a conduit permit for this range on port 25 for my server's ip address, but I can't seem to find the appropriate syntax. Does anyone know the syntax I should be using?

Thank you,



Re: Configuring for third party spam filtering.

PIX 4.2(3) ? Wow.

1. No, fixup is an app layer inspection, it just looks at the SMTP commands and only allows the key ones. But some mail servers do not like it. Leave it on unless there's a problem.

2. Yes, good ol' conduits. Config guide at

Community Member

Re: Configuring for third party spam filtering.

Thank you for the fixup information. As for the conduit command, I spent quite a bit of time with the manual (and Google) before posting, but couldn't realize or come across the correct syntax, especially on how to properly enter the range of addresses to permit (e.g. through While my company's firewall might be ancient, I'm pretty new to this, and appreciate any further advice you might be able to offer.

Thank you again,


Re: Configuring for third party spam filtering.

static (inside, outside) mail_server_public_ip mail_server_internal_ip

conduit permit tcp host mail_server_public_ip eq 25

By default, PIX Firewall restricts all access to mail servers to RFC 821 section 4.5.1 commands of DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET. This occurs via the Mail Guard service which is set with the following default configuration command:

fixup protocol smtp 25

You should consider upgrading to v7 for the new features and easier config. You'd have to check your DRAM and flash for that.

Community Member

Re: Configuring for third party spam filtering.

That was exactly what I needed. Many thanks for your help. Whenever I get better at this, I'll do the same for someone else some day.

- Chris

CreatePlease to create content