Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filter Outbound SMTP on PIX

I've got a PIX 515 running 6.3(3). As an extra added security measure in the face of viruses, I want to make sure that only 1 system in our DMZ can send e-mail messages out to port 25 on any IP address outside of our network. If an infected machine tries to start spewing mail with its own SMTP connections, the firewall will block it. If the infected machine uses our outgoing mail system in the DMZ, we're still screwed.

There is a global pool defined for our outside interface. The allowable connection will come from one machine in our DMZ. We want to block attempts from any other machine on any higher level interface from getting out.

I'm having a tough time trying to figure out where to place the access list. My first thought was to put it on the outside interface, but I don't think that's going to work because the traffic is outbound from the outside interface. There are certainly no access lists in place on the outside interface that specifically allow the NAT'd and PAT'd traffic that works correctly now.

Does anyone have an example of how to do this?




Re: Filter Outbound SMTP on PIX

how does mail get from your users to the smtp server in the dmz? that changes things.

for example ms exchange uses a proprietary protocol, so you could apply an acl on the inside interface:

deny tcp any any eq smtp

permit ip any any

that rough example would block only traffic from anyone to anyone;s smtp port. if the clients need to speak smtp to your dmz server though, then you need to make an exception.

similarly, you could add an acl to the dmz interface, allowing only source ip of smtp server to make smtp connections through the interface

New Member

Re: Filter Outbound SMTP on PIX

Legitimate mail from our users is sent to the Exhchange server and then the Exchange servers sends it via SMTP to the outgoing mail server in the DMZ. So, legitimate traffic is clearly defined as one machine in the DMZ sending out to the internet on port 25.

I'm not sure your example will work in my situation. There is a machine in the DMZ that accepts all of the incoming mail for our company and then forwards it from the DMZ up to the Exchange server (which is at a higher level on the PIX). The good news is that legitimate incoming mail from the DMZ to Exchange will always come from 1 system in the DMZ to 1 system on the inside (the Exchange server).

Because we have a global pool set up, any illegitimate outbound traffic from the inside interface to the outside wouldn't go to the DMZ--it would just use the global pool to go directly outside. I guess I'm struggling with where to place the access list because this is outbound traffic and access lists affect traffic inbound to an interface. I'm not sure I can find a place to grab hold of this traffic.


CreatePlease login to create content