Should I block inbound port 25 on the PIX 515?

Should I block inbound port 25 on the PIX 515?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Should I block inbound port 25 on the PIX 515? Corbin O'Reilly 04-20-2005
Posted by Corbin O'Reilly on April 20, 2005, 8:08 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi everyone. OK here is our situation. We currently have an Exchange 5.5
server. Port 25 is open inbound and outbound to the Exchange Server. We
recently setup an anti-spam server, added a MX record for it, and opened
inbound port 25 to it. We then removed the Exchange Server's MX record. Now
mail coming to our company from the outside first comes to the anti-spam
server and then is routed internally to the Exchange Server. The Exchange
Server still sends mail out through port 25. My question is since e-mail is
now coming to the anti-spam server first and never directly to the Exchange
Server, can I close inbound port 25 to the Exchange? Will this cause any
problems sending e-mail out of our company? I would appreciate any advice.
Thanks.




Posted by on April 20, 2005, 6:35 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm working on a site with a similar configuration. Are you perchance
using the same IP incoming and outgoing? I'm wondering what command
you are using to bring mail to your anti-spam server.

cos



Posted by Brad on April 20, 2005, 6:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On what port does the spam server talk to the exchange server? If it's
25 you'll need to keep it open. Based on your description I'm assuming
the spam server is outside the firewall and the exchange server is
inside the firewall. If you're limiting the inbound port 25 traffic to
only originate from the spam server's IP address you should be ok
unless the spam server gets compromised.



Posted by Corbin O'Reilly on April 20, 2005, 10:09 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Both the anti-spam server and Exchange Server are on the same internal
subnet. I have NAT setup on the PIX. Both servers have their public IPs
translating to internal private IPs.

> On what port does the spam server talk to the exchange server? If it's
> 25 you'll need to keep it open. Based on your description I'm assuming
> the spam server is outside the firewall and the exchange server is
> inside the firewall. If you're limiting the inbound port 25 traffic to
> only originate from the spam server's IP address you should be ok
> unless the spam server gets compromised.
>




Posted by Corbin O'Reilly on April 20, 2005, 9:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hey cos. The anti-spam server has a different public/private IP Address than
the Exchange Server. What I did was setup the anti-spam software on another
server, put in a static (inside,outside) command in my PIX, opened port 25
to the anti-spam server, removed my Exchange Server's MX record from my
ISP's DNS Servers, and replaced it with a new MX record pointing to the
anti-spam server. Now mail from the outside comes into the anti-spam server
and is routed internally to the Exchange Server. The Exchange Server still
sends mail out through port 25 to the rest of the world. I still have
inbound port 25 open to the Exchange Server but it looks like I can safely
remove that entry from the PIX because e-mail from the outside world is now
coming directly to the anti-spam server and not to the Exchange Server.

> I'm working on a site with a similar configuration. Are you perchance
> using the same IP incoming and outgoing? I'm wondering what command
> you are using to bring mail to your anti-spam server.
>
> cos
>




Similar ThreadsPosted
How to redirect ftp port for inbound traffic? August 21, 2006, 2:50 am
Port Block April 20, 2005, 5:42 pm
Block UDP on Port 514 July 22, 2005, 11:16 am
Block Network port Cisco 2950 February 18, 2005, 10:15 am
Re: 3500XL: Disable/Block VLAN 1 on an uplink port July 24, 2007, 6:42 am
Re: 3500XL: Disable/Block VLAN 1 on an uplink port July 24, 2007, 11:01 am
3500XL: Disable/Block VLAN 1 on an uplink port July 24, 2007, 6:07 am
PIX 501 and inbound NAT/PAT August 10, 2004, 4:42 pm
BGP inbound February 17, 2007, 11:50 am
Inbound Vpn Clients August 25, 2004, 1:15 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map