04-01-2008 09:48 AM - edited 03-11-2019 05:25 AM
In my Pix 515e there is an access-list entry : access-list out_acl permit tcp any host 69.67.67.100 eq smtp
( 69.67.67.100) is the public IP address of the Mail server.
do I need this ?, can somebody explain to me what this access-list is doing ?.
Why should I want any host to access my mail server through smtp ?
Thanks
Solved! Go to Solution.
04-01-2008 07:10 PM
Sorry, I try to better explain:
that is the tipical configuration in order to allow your server to exchange mail directly with Internet; let's assume your mail server answers to the "MyDomain.com" domain and you want it is able to directly receive mail from Internet; you have to activate a public DNS MX record, a "public route" in order to make your mail server public.
Then, Internet knows that to deliver mail to your mail server it has to contact the public IP address of your server (that's using a private (or DMZ) IP Address.
Thanks to the mentioned acl, static and access-list, you allow the incoming traffic on port 25 (SMTP - Simple Mail Tranfer Protocol) to exchange mail with your server.
So, if you want that "Internet" can contact your email server, you need of this acl;it allows "ANY" because "any host" (anyone) can send mail to your server. If you have a smarthost in order to exchangemail, you can replace "any" with the smarthost server IP address.
I hope it can be helpfull.
Regards
Giorgio
04-01-2008 02:56 PM
This ACE permit all incoming trafic on port 25 (SMTP) from the mentioned IP address.
It's the tipical ACE if you have an active Mail server/service in your site.
Generally, it is not sufficient: you should also have a static route (like: static (inside,outside) tcp 69.67.67.100 25 192.168.1.10 25 netmask 255.255.255.255 -that is a PAT) or (static (inside,outside) 69.67.67.100 192.168.1.10 25 netmask 255.255.255.255 -that is a NAT); this assuming that you mail server is on IP 192.168.1.10, the first STATIC routes the incoming traffic on port 25 (SMTP) to your server (192.168.1.10) on the same port, the second STATIC command routes all incoming traffic on all ports on your IP 192.168.1.10.
Finally, the ACE you shown, should be also enabled with the related ACCESS-GROUP command (eg: access-group out_acl in interface outside)
I hope this helps
Regards
04-01-2008 07:10 PM
Sorry, I try to better explain:
that is the tipical configuration in order to allow your server to exchange mail directly with Internet; let's assume your mail server answers to the "MyDomain.com" domain and you want it is able to directly receive mail from Internet; you have to activate a public DNS MX record, a "public route" in order to make your mail server public.
Then, Internet knows that to deliver mail to your mail server it has to contact the public IP address of your server (that's using a private (or DMZ) IP Address.
Thanks to the mentioned acl, static and access-list, you allow the incoming traffic on port 25 (SMTP - Simple Mail Tranfer Protocol) to exchange mail with your server.
So, if you want that "Internet" can contact your email server, you need of this acl;it allows "ANY" because "any host" (anyone) can send mail to your server. If you have a smarthost in order to exchangemail, you can replace "any" with the smarthost server IP address.
I hope it can be helpfull.
Regards
Giorgio
04-02-2008 10:59 AM
IT did.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide