Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Setting incoming mail to only accept mail from Postini addresses on PIX

Reply
Thread Tools

Setting incoming mail to only accept mail from Postini addresses on PIX

 
 
brizzad505 brizzad505 is offline
Junior Member
Join Date: Oct 2011
Posts: 1
 
      10-14-2011
I took over the IT as Manager/Engineer here at this company about 6 months ago from a Managed Service Provider. I implemented Postini mail security but i am also getting spam coming through that seems to be circumventing Postini and hitting my org. I am no Cisco guru and from I have seen, you guys are.

What command should I put in or alter in the firewall to allow mail from only the IP ranges for Postini

This is from Postinis website:
IP Range
64.18.0.0 - 64.18.15.255

CIDR Range
64.18.0.0/20 64.18.0.0

IP/Subnet Mask Pair
64.18.0.0
mask 255.255.240.0

Notice what I highlighted in red in the config. Does that look a little funny? Seems like it may be a contradiction in the rules.


Here is my PIX sh run:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security10
enable password ************** encrypted
passwd ***************** encrypted
hostname PixPrimary01
domain-name wr
clock summer-time EST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol h323 ras 3230-3237
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.7 TS2_Internal
name 192.168.1.8 TS3_Internal
name 192.168.1.12 Intra1_Internal
name 192.168.1.2 AS400_Internal
name 192.168.1.14 TeamSite_Int
name 192.168.1.9 helpdesk_Int
name *.*.138.147 TS2_External
name *.*.138.148 TS3_External
name *.*.138.142 Intra1_External
name *.*.138.135 Exchnge_External
name *.*..138.140 WebDNS_External
name *.*.138.131 InetRTR_Eth0
name *.*..138.141 Main_External
name *.*..138.132 AS400_External
name *.*.138.144 TeamSite_Ext
name *.*.138.139 helpdesk_Ext
name *.*..138.143 HRSupport_Ext
name *.*.138.146 TS1_External
name 192.168.1.82 TS1_Internal
name 192.168.1.81 Mail_Internal
name 192.168.1.83 HRSupport_Int
name 192.168.1.84 isynergy_Internal
name *.*.138.136 isynergy_External
access-list acl_out permit tcp any host Exchnge_External eq domain
access-list acl_out permit udp any host Exchnge_External eq domain
access-list acl_out permit tcp any host Exchnge_External eq https
access-list acl_out permit tcp any host Intra1_External eq www
access-list acl_out permit tcp any host Intra1_External eq https
access-list acl_out permit tcp any host TS3_External eq www
access-list acl_out permit tcp any host TS3_External eq https
access-list acl_out permit tcp any host TS2_External eq citrix-ica
access-list acl_out permit tcp any host TS3_External eq citrix-ica
access-list acl_out permit tcp any host TS1_External eq citrix-ica
access-list acl_out permit tcp any host TS1_External eq www
access-list acl_out permit tcp any host TS1_External eq https
access-list acl_out permit tcp any host Exchnge_External eq pop3
access-list acl_out permit tcp any host AS400_External eq www
access-list acl_out permit tcp any host Exchnge_External eq www
access-list acl_out permit tcp any host TeamSite_Ext eq www
access-list acl_out permit tcp any host TeamSite_Ext eq https
access-list acl_out permit tcp any host helpdesk_Ext eq 9675
access-list acl_out permit tcp any host HRSupport_Ext eq 9675
access-list acl_out permit tcp any host HRSupport_Ext eq www
access-list acl_out permit tcp any host HRSupport_Ext eq https
access-list acl_out permit tcp any host *.*.138.165 eq h323
access-list acl_out permit tcp any host *.*.138.165
access-list acl_out permit tcp any host *.*.138.165 range 3230 3237
access-list acl_out permit udp any host *.*.138.165 range 3230 3237
access-list acl_out permit udp any host *.0.0.7
access-list acl_out permit udp host *.*.138.165 any range 3230 3237
access-list acl_out permit tcp host *.*.138.165 any range 3230 3237
access-list acl_out permit tcp host *.*.138.165 any eq h323
access-list acl_out permit tcp any any eq 3389
access-list acl_out permit tcp *.*.0.0 255.255.240.0 host Exchnge_External eq smtp
access-list acl_out permit tcp any host Exchnge_External eq smtp
access-list acl_out permit tcp any host isynergy_External eq https
access-list acl_out permit tcp any host isynergy_External eq www
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.14.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 103 permit ip 10.1.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 106 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 202 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 112 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 203 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list acl_inside permit icmp any any echo
access-list acl_inside permit icmp any any echo-reply
access-list 204 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 99 permit 192.168.1.0 255.255.255.0
access-list 99 permit 192.168.2.0 255.255.255.0
access-list 99 permit 192.168.9.0 255.255.255.0
access-list 99 permit 192.168.8.0 255.255.255.0
access-list 99 permit 192.168.100.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
mtu failover 1500
ip address outside *.*.138.150 255.255.255.0
ip address inside 192.168.1.3 255.255.255.0
ip address failover 172.16.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.254.50-192.168.254.100
ip local pool vpnpool 192.168.254.101-192.168.254.200
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside *.*.138.134
failover ip address inside 192.168.1.4
failover ip address failover 172.16.0.4
failover link inside
pdm history enable
arp timeout 14400
global (outside) 1 *.*.138.190
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) Intra1_Internal Intra1_External 255.255.255.255
alias (inside) TS2_Internal TS2_External 255.255.255.255
alias (inside) TS3_Internal TS3_External 255.255.255.255
alias (inside) TeamSite_Int TeamSite_Ext 255.255.255.255
alias (inside) TS1_Internal TS1_External 255.255.255.255
alias (inside) Mail_Internal Exchnge_External 255.255.255.255
alias (inside) isynergy_Internal isynergy_External 255.255.255.255
static (inside,outside) Intra1_External Intra1_Internal netmask 255.255.255.255 0 0
static (inside,outside) TS2_External TS2_Internal netmask 255.255.255.255 0 0
static (inside,outside) TS3_External TS3_Internal netmask 255.255.255.255 0 0
static (inside,outside) Main_External 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) AS400_External AS400_Internal netmask 255.255.255.255 0 0
static (inside,outside) TeamSite_Ext TeamSite_Int netmask 255.255.255.255 0 0
static (inside,outside) helpdesk_Ext helpdesk_Int netmask 255.255.255.255 0 0
static (inside,outside) TS1_External TS1_Internal netmask 255.255.255.255 0 0
static (inside,outside) Exchnge_External Mail_Internal netmask 255.255.255.255 0 0
static (inside,outside) HRSupport_Ext HRSupport_Int netmask 255.255.255.255 0 0
static (inside,outside) isynergy_External isynergy_Internal netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 InetRTR_Eth0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
snmp-server location Nowhere,USA
snmp-server contact Brizzad505
snmp-server community MyCompany
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
service resetinbound
crypto ipsec transform-set cm-tranformset-1 esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set cm-tranformset-1
crypto map InternetVPN 1 ipsec-isakmp
crypto map InternetVPN 1 match address 102
crypto map InternetVPN 1 set peer *.*.130.58
crypto map InternetVPN 1 set transform-set cm-tranformset-1
crypto map InternetVPN interface outside
isakmp enable outside
isakmp key ******** address *.*.130.58 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 failover
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username ******* password *********** encrypted privilege 2
terminal width 80
Cryptochecksum:*********************
: end



Also, I would like to add that most of this crap we donwt even use anymore. We dont have as400, Main, Intra1, Mail (now its exchge) TS2 and TS3 servers.

Any help for a Cisco Noob would be appreciated.
What a mess i have to clean up
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The connection to the server has failed. Account: 'incoming.yahoo.verzon.net', Server: 'incoming.yahoo.verizon.net', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 10061, Error Number: 0x800CCC0E Michael Bower Computer Support 3 10-01-2006 03:44 PM
Why does SpamCop say to report this to postini@postini.com when it obviously didn't come from there? Lookout Computer Support 3 08-17-2006 02:54 AM
Why does SpamCop tell me this should be reported to postmaster@postini.com? Lookout Computer Support 3 04-09-2006 04:38 PM
https - lwp - postini Knight Stalker Perl Misc 0 09-16-2004 12:24 PM
Postini rawalls Computer Support 0 04-13-2004 02:00 AM



Advertisments