Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Restricting SMTP inbound traffic

I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:

mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service

I am thinking an ACL would fit the bill here, but unsure of how to implement.

Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.

Everyone's tags (4)
3 REPLIES

Restricting SMTP inbound traffic

Hi Stephen,

Please correct me if I misunderstood your setup.

You want to permit only the mail service traffic from your outside (WAN) interface of your 1811 router to your inside (LAN) interface.

In this case you can create the next extended access-list

ip access list extended filter                         ->the name of the access-list

permit tcp host "public IP" host 10.0.10.2 eq 25 -> you allow only  the smtp traffic from public IP to 10.0.10.2

deny ip any any

Then you have to apply this access-list to the WAN interface

interface fa0

ip access-group filter in

Hope that helps

Vasilis

Community Member

Restricting SMTP inbound traffic

That makes sense to me, but does not appear to be working. This is what I ended up with for the ACL:

Extended IP access list smtp

    10 permit tcp host 207.210.234.37 host 10.0.10.2 eq smtp

    20 permit tcp host 207.200.28.37 host 10.0.10.2 eq smtp

    30 deny ip any any (1234 matches)

The 207.210.234.37 and 207.200.28.37 are the IP's of the mail filtering service. As a test I logged into another remote server and was able to telnet to port 25, I expected it to be denied? I also applied the ACL to fa0 inbound:

Inbound  access list is SMTP

And the only other thing I'll mention is that I have a static NAT entry for this as well (for inbound traffic):

ip nat inside source static tcp 10.0.10.2 25 my.public.ip 25 extendable

Restricting SMTP inbound traffic

You can easily find the traffic that is denied in order to modify then you Access-list

remove the entry 30 and add the next

conf t

ip access-list extended smtp

no 30

and add the next command

100 deny ip any any log   -> 100 is the sequence number in you access-list ...should be the last entry

Then check the logs ( show logging) and you can easily find the steams that should be permited but are denied in your access-list.

Then modify your access-list according to this info.

PS: maybe you need to permit the next entries too

15 permit tcp host 207.210.234.37 eq smtp host 10.0.10.2

25 permit tcp host 207.200.28.37 eq smtp host 10.0.10.2

2975
Views
0
Helpful
3
Replies
CreatePlease to create content