Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

mail server security

How do I stop outside telnet to port 25 of a mail server. I am trying to prevent anyone from telnetting from outside and run the commands that mailguard does not block, ie. HELO ME, MAIL TO, RCPT TO, etc. Of course denying inbound telnet to the gateway router or firewall does not work. Using TCP established access-list is not an option either.

Thanks for your input.


Re: mail server security

I don't want to be insulting, but you need to read the RFCs for SMTP. The commands you describe are how internet email gets transferred. If you don't want to allow those commands, then you don't want to receive internet email. You aren't really allowing telnet to port 25. SMTP is an ascii protocol - human admins can make an ascii connection via telnet and debug servers by entering the same commands that mail software would. HTTP, POP, IMAP, LDAP are all similar.

Community Member

Re: mail server security

I presume you are using PIX, get another Mail-Server and let it acting as a Mail-Relay server for incoming SMTP, configure your outgoing mail server without statically mapped IP, like your other Natted inside clients, so the outgoing message will go out without having a problem, ask your provider to allow the IP of your PAT for your outgoing messages.

Add an entry in your domain with the IP of Mail relay-server with MX for incoming mail.

You need to create an static entry for mail relay server with an access list to allow (Domain/SMTP).

This way no one can telnet/ping your outgoing smtp at all.

if you need any further help send me a message on


CreatePlease to create content