Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Making SMTP more secure on Cisco827

I am running IOS 12.2 FW and have protected all ports except for TCP port 25 which is open for SMTP (MS Exchange2000). The ISP keeps changing the IP addresses of its mail servers, so I cann't use IP addresses in the ACL's, but I do have a list of DNS names for the mail servers and these do not change. Can I use the DNS names in the ACL's or perform some sort of DNS lookup, so that I can restrict where SMTP traffic comes from. I am a new CCNA, who has install 11x 827's but would like some advice on how to tighten up security for SMTP, many thanks to anyone who can help.

Cisco Employee

Re: Making SMTP more secure on Cisco827

You can't unfortunately use a hostname in an ACL. You can define a DNS server on the router itself, which then enables you to ping/telnet/etc FROM the router using the hostname, but it still doesn't allow you to use this to define an ACL.

When you say you've protected all ports, do you mean into your networks or do you mean that you haven't added the SMTP inspection line into your FW config?

If the former, and I presume you don't have your own internal SMTP servers here but are using the ISP's for your mail, then you'll just have to allow all SMTP into your network, there's really no good way around it.

If the latter, then this is good if the ISP is using Exchange, but as long as you have inspected TCP outbound, that traffic will be allowed back in. When using IOS FW, you can pretty much deny all inbound traffic except stuff that needs to originate from the outside, like HTTP traffic to an internal WWW server or something like that. If your users on on the inside, the mail servers are on the outside, then just deny inbound traffic, inspect TCP, and your users will be able to connect to the SMTP server and get their mail, but the SMTP server won't be able to initiate a connection to them which is fine.

CreatePlease to create content