Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MS Exchange & PIX 515ur

Status
Not open for further replies.
rubbaninja

rubbaninja

MIS
Jun 1, 2002
217
US
Good Evening,

I have an exchange 5.5 server that is, of course, passing it's SMTP traffic through my PIX firewall 5.3(2) with a static command and access-list:

static (inside,outside) o.o.o.o. i.i.i.i netmask 255.255.255.255
access-list acl-outside permit tcp any host o.o.o.o eq smtp 0 200
"no fixup for SMTP"


The mail server is not on a DMZ (I know I know, my boss doesn't want to have to do the work because we route email for 27 domains... yup, 27.) What I am seeing is port 137 traffic when I do a show conn.
So, i set up a access-list to block port 137 traffic and now it seems like outside sources are having issues with giving us mail and us sending it out.

Anyone have a good secure access-list(s) and configuration for a ESMTP exchange server that is not on a DMZ? Or, is my configuration OK?

Any thoughts would be appreciated.


 
Sort by date Sort by votes
HI.

* You have the option to install a mail-relay in DMZ and forward incoming mail to the Exchange server. This is more secure then direct access to the "real" server.

* Why are you disabling the fixup?
In most cases there is no problem to use the basic SMTP commands via the fixup.
Are you using any ESMTP advanced features?

* If you apply any access-list to the inside interface to deny some traffic, you must then permit the legitimic traffic you wish to allow (or ip any any for all the rest not specifically denied).
You must remember to allow DNS traffic for example.

Post here your full access list configuration and more details about the errors you get (including syslog messages).

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Sorry for the ancient reply but I figured out why I needed to work my configuration for the mail server like I did.
No reverse DNS. Half of our connections were getting lost in the bit bucket.

My next step is to finally get the dmz configured for this. Reason it is not right now? My boss built the network 5 years ago, it used to go through Raptor Firewall which watched after the email. When switched service providers and obtained a new address space we ditched the old raptor box and bought overkill in cisco products.

Thanks for your help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
215
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
92
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top