RE: Firewall Configuration for SMTP
- From: "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Dec 2005 07:39:03 -0800
Hi,
Thank you for the reply. I would rather block this traffic at the firewall
and keep the bad stuff out of the exchange server all together. Concerning
item 1 creating the IP filters. I can only list one subnet and mask per
filter in this version is ISA. So, if I create one filter allowing SMTP
traffic from subnet X, then create another SMTP filter allowing SMTP traffic
from subnet Y, I should be all set? Will the email coming into the server
from subnet X hit the subnet Y filter and bounce? Or will ISA deny on the one
filter then allow on the other without bouncing back emails? This is my only
concern with having two smtp filters. Thanks - Wayne
""Crina Li"" wrote:
> Hi Wayne,
>
> Thanks for your reply.
>
> I am sorry for the delayed response due to weekend. Please understand that
> the newsgroups are staffed weekdays by Microsoft Support professionals to
> answer your systems and applications questions. Your understanding is
> greatly appreciated!
>
> Since the SBS SMTP service is listening to both the external and internal
> NIC, we can do the restriction in one of the following ways:
>
> 1. Use IP Packet filters. We can new IP Packet Filters and specify the
> remote server's IP address in 'Remote computers' page and follow the wizard
> to finish it. Then you can double click the filter you have created and
> then click "Remote Computer" tab and then you can select This range of
> computers and type the Subnet and Mask. If multiple IP addresses are
> needed, we can create multiple filters.
>
> 2. You can also define the address restriction in SMTP virtual server
> properties. You can use the Connection Control on the SMTP virtual server
> to specify the IP addresses that you would like to allow to access your
> SMTP virtual server.
>
> For your convenience, I included the steps below:
>
> 1) Click Start, point to Programs, point to Microsoft Exchange, and then
> click System Manager.
> 2) Expand Servers, expand ServerName, and then expand Protocols.
> 3) Expand SMTP, right-click Default SMTP Virtual Server, and then click
> Properties.
> 4) Click the Access tab, and then click Connection.
> 5) In the Connection dialog box, click Only the list below.
>
> NOTE: This indicates that only the IP addresses and the domains that are
> in the list are permitted to connect to the SMTP virtual server.
>
> 6) Click Add, and then do one of the following to add a single computer, a
> group of computers, or a domain, as appropriate to your situation:
>
> - To add a single computer, click Single Computer, type the IP address of
> the e-mail messaging server of your Internet service provider (ISP) in the
> IP address box, and then click OK.
>
> Alternatively, click DNS Lookup, type a host name, and then click OK.
>
> - To add a group of computers, click Group of computers, type the subnet
> address and the subnet mask of the group in the corresponding boxes, and
> then click OK.
>
> Microsoft recommends this option if your ISP has a tendency to change the
> IP address of their e-mail messaging server without warning.
>
> - To add a domain, click Domain, type the domain name that you want in the
> Name box, and then click OK.
>
> Note that this option requires a DNS reverse lookup on each incoming
> connection.
>
> If you have any concerns, please feel free to let me know.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> | Thread-Topic: Firewall Configuration for SMTP
> | thread-index: AcYCWg4IHnA6Ek+jTx2a6/JQ1o6y3Q==
> | X-WBNR-Posting-Host: 208.200.82.13
> | From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | References: <BCD27378-4CF5-41B5-963D-26E29C0B204E@xxxxxxxxxxxxx>
> <7F3555BB-1B42-44E7-B324-02D8F1DF5BA9@xxxxxxxxxxxxx>
> <EnoY3HiAGHA.1504@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: RE: Firewall Configuration for SMTP
> | Date: Fri, 16 Dec 2005 08:02:03 -0800
> | Lines: 110
> | Message-ID: <B30DB315-2142-47C4-889D-B77AE2ED065C@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA
> 03.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:230711
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi, and thanks for getting back to me. I am using ISA server 2000 (ver
> 3)
> | and I am trying to restrict inbound smtp traffic. We have a filtering
> | service off site that the MX records point to, then they forward all
> email to
> | our exchange server. To prevent email bypassing this filter (by them
> sending
> | directly to our IP address) I need to only allow this traffic, which
> comes
> | from two ranges of IP addresses. If I go into the access policy -> IP
> packet
> | filters -> SBS smtp predefined typy -> allow, I am able to put in an IP
> and
> | Mask. I do nte see how I can put in more then one range here. In the
> latest
> | version you can specify as many ranges as you like. If I create two smtp
> | filters for incoming traffic, one for each range, will this end up
> blocking
> | all traffic?
> | Thanks - Wayne
> |
> | ""Crina Li"" wrote:
> |
> | > Hi Wayne,
> | >
> | > Thank you for posting in SBS newsgroup.
> | >
> | > You said "need to lock down the firewall to only accept SMTP traffic
> from
> | > two networks", do you mean you are using ISA server 2000 and want to
> | > implement restriction on outbound SMTP traffic?
> | >
> | > If so, you can create computer sets for the particular subnets and
> create
> | > protocol rule to allow the requests from the computer sets.
> | >
> | > Hope it helps and I look forward to hearing from you.
> | >
> | > Best regards,
> | >
> | > Crina Li (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > =====================================================
> | > This newsgroup only focuses on SBS technical issues. If you have issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you check
> the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | >
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> | > --------------------
> | > | Thread-Topic: Firewall Configuration for SMTP
> | > | thread-index: AcYBzn8A1jOJgh2BTp2zinOwJV71aA==
> | > | X-WBNR-Posting-Host: 208.200.82.13
> | > | From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | > | References: <BCD27378-4CF5-41B5-963D-26E29C0B204E@xxxxxxxxxxxxx>
> | > | Subject: RE: Firewall Configuration for SMTP
> | > | Date: Thu, 15 Dec 2005 15:23:03 -0800
> | > | Lines: 15
> | > | Message-ID: <7F3555BB-1B42-44E7-B324-02D8F1DF5BA9@xxxxxxxxxxxxx>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:230527
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | PS, I do not have the latest version of ISA server, on which this is
> an
> | > easy
> | > | configuration, but the previous version.
> | > | Thanks !
> | > |
> | > |
> | > | "Wayne" wrote:
> | > |
> | > | > Hi,
> | > | > I am running SBS2003 premium, ISA installed, and need to lock down
> the
> | > | > firewall to only accept SMTP traffic from two networks. When I go
> to
> | > look at
> | > | > the existing rule it is wide open, but it does look like I can
> restrict
> | > it to
> | > | > a single subnet. How can I allow two different subnets to send
> SMTP
> | > traffic?
> | > | > If I create 2 rules, one for each subnet will they end up blocking
> | > each
> | > | > other?
> | > | > Thanks - Wayne
> | > |
> | >
> | >
> |
>
>
.
- Follow-Ups:
- RE: Firewall Configuration for SMTP
- From: "Crina Li"
- RE: Firewall Configuration for SMTP
- References:
- RE: Firewall Configuration for SMTP
- From: "Crina Li"
- RE: Firewall Configuration for SMTP
- From: Wayne
- RE: Firewall Configuration for SMTP
- From: "Crina Li"
- RE: Firewall Configuration for SMTP
- Prev by Date: RE: Microsoft Windows SBS 2003 Communication Issues
- Next by Date: Re: Backup Failure
- Previous by thread: RE: Firewall Configuration for SMTP
- Next by thread: RE: Firewall Configuration for SMTP
- Index(es):
Relevant Pages
|
