How do I stop outside telnet to port 25 of a mail server. I am trying to prevent anyone from telnetting from outside and run the commands that mailguard does not block, ie. HELO ME, MAIL TO, RCPT TO, etc. Of course denying inbound telnet to the gateway router or firewall does not work. Using TCP established access-list is not an option either.
I don't want to be insulting, but you need to read the RFCs for SMTP. The commands you describe are how internet email gets transferred. If you don't want to allow those commands, then you don't want to receive internet email. You aren't really allowing telnet to port 25. SMTP is an ascii protocol - human admins can make an ascii connection via telnet and debug servers by entering the same commands that mail software would. HTTP, POP, IMAP, LDAP are all similar.
I presume you are using PIX, get another Mail-Server and let it acting as a Mail-Relay server for incoming SMTP, configure your outgoing mail server without statically mapped IP, like your other Natted inside clients, so the outgoing message will go out without having a problem, ask your provider to allow the IP of your PAT for your outgoing messages.
Add an entry in your domain with the IP of Mail relay-server with MX for incoming mail.
You need to create an static entry for mail relay server with an access list to allow (Domain/SMTP).
This way no one can telnet/ping your outgoing smtp at all.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...