How to Block all outbound SMTP except Exchange Server

Discussion in 'Cisco' started by Ross, Jul 20, 2007.

  1. Ross

    Ross Guest

    Hi there,
    I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    inside the firewall, which are all working well.
    Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    except from my company's Exchange server.
    Any idea about how to do this is appreciated.
    Ross, Jul 20, 2007
    1. Advertisements

  2. Ross

    gcave Guest

    access-list SMTP-CONTROL permit tcp host any eq smtp ! Where is the IP address of Exchange
    access-list SMTP-CONTROL deny tcp any any eq smtp
    access-list SMTP-CONTROL permit ip any any ! implicit deny any any
    access-group SMTP-CONTROL in interface inside

    Since the access-list gets executed in order, line one runs first and
    wont make it to line two unless it is a TCP connection on port 25 with
    a different IP address. Remember if anyone trys to send any mail
    except the exchange server it will be blocked.
    gcave, Jul 21, 2007
    1. Advertisements

  3. Ross

    GNY Guest

    Sorry to thread jack .. But on an ASA if I was trying to do something
    similar would I have to assign this access-list to an interface? Or is
    this only for IOS routers where you have to assign the ACL to an

    Thanks and sorry again ..

    GNY, Jul 21, 2007
  4. Ross

    Chris Guest

    The example above is for a Pix version 7.x, which is essentially the same
    as an ASA. So yes, you have to apply the access-list to an interface.

    Chris, Jul 21, 2007
  5. Ross

    Ross Guest

    Thanks to everyone!
    It works well with blocking SMTP.
    But it stoped the blocking of bitTorrent. I had a setup for blocking
    bitTorrent, but once I enabled the SMTP blocking, the bitTorrent traffic
    becomes available now.

    BTW, here was my setup for blocking BT:
    access-list block_BT deny tcp any any range 6881 6999
    access-list block_BT permit ip any any
    access-group block_BT in interface inside

    Any idea would be appreciated again,
    Ross, Jul 23, 2007
  6. Ross

    James Guest

    You can only have one access-list bound to an interface (on an IOS
    rotuer you can have two, one in each direction) so you need to combine
    your entries to look something like this:-

    access-list Outbound permit tcp host any eq smtp ! Where is the IP address of Exchange
    access-list Outbound deny tcp any any eq smtp
    access-list Outbound deny tcp any any range 6881 6999
    access-list Outbound permit ip any any

    access-group Outbound in interface inside

    James, Jul 24, 2007
  7. Ross

    Ross Guest

    Thank you James! It works.

    One more question - if I need to combine one more entry in the future (e.g.
    blocking eDonkey), could I simply run one command "access-list Outbound deny
    tcp any any eq 4662" without running all the command list you provided from
    Thanks again,
    Ross, Jul 25, 2007
  8. Ross

    Rod Dorman Guest

    I don't know what you mean by "running all the command list" but the
    general rule of thumb is the first match wins.
    Rod Dorman, Jul 25, 2007
  9. Ross

    Ross Guest

    Thanks Rod, and sorry for the confusion.
    My question was how to INSERT a new rule? For example, if I have a new email
    server ( in the future, and want to allow its outgoing emails, I
    probably can not just run "access-list Outbound permit tcp host any
    eq smtp" because the first match wins as you said. Instead, I have to run
    "no access-group" and "no access-list" one by one, and re-add those rules
    one by one again.
    Thanks again,
    Ross, Jul 25, 2007
  10. In PIX 6.3 and later, use 'access-list' with the 'line' parameter. If
    the line already exists, the new line gets inserted -before- the
    existing line.
    Walter Roberson, Jul 25, 2007
  11. Ross

    Ross Guest

    Ross, Jul 25, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.