HELP - Exchange & Cisco 1700 Lockdown from SPAM
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on May 30, 2008, 9:50 am
Please log in for more thread options I want to thank everyone in advance for any information you provide. I'm going to be as straigh forward as possible and give as much detail as possible. We are running Windows 2000 SBS with Exchange and I have recently moved my SPAM scanning externally outside of our building, through a third-party SPAM scanning company called SpamSoap. The issue that I am having foolows: The scanner is working correctly and stopping almost all of the SPAM. However, someone is directly mailing to our IP address; as our IP is static we can not change it. SpamSoap recommends locking down our exchange server to only except mail from a certain IP range they give us. This is the problem, I don't know how to put these IP addresses into exchange, and/or my Cisco 1700 router. Does anyone know how to complete this? Is this true and possible to be done? Thanks again for looking and giving any thoughts you might have! Mickie | |||||||||||||
|
Posted by Trendkill on May 30, 2008, 12:58 pm
Please log in for more thread options I think you are asking how to ACL off SMTP from everywhere except the IP-range of your 3rd party provider. You would do this by creating an access-list on the router that allows SMTP (port 25) from your SPAM filter and nothing else. I would need more information on how exactly this spam filter works (is your email domain pointed/owned by their servers and whatever passes the filter is sent on to your specific mail server, or is something else going on). But here is an example of an ACL: access-list 101 permit tcp any host a.b.c.d eq smtp access-list 101 deny tcp any any eq smtp You would then apply that ACL to your external interface on your router: int <interface>
ip access-group 101 in
Again, I would strong discourage doing anything until you have a complete understanding of the flow of traffic (in this case mail) with your 3rd party provider. The last thing you want is an email outage...... | |||||||||||||
|
Posted by Mickie on May 30, 2008, 1:48 pm
Please log in for more thread options > On May 30, 9:50 am, mickiemell...@gmail.com wrote:
> > > > > > > Hello everyone,
>
> > I want to thank everyone in advance for any information you provide.
> > I'm going to be as straigh forward as possible and give as much > > detail > > as possible. >
> > We are running Windows 2000 SBS with Exchange and I have recently
> > moved my SPAM scanning externally outside of our building, through a > > third-party SPAM scanning company called SpamSoap. >
> > The issue that I am having foolows:
> > The scanner is working correctly and stopping almost all of the SPAM. > > However, someone is directly mailing to our IP address; as our IP is > > static we can not change it. =A0SpamSoap recommends locking down our > > exchange server to only except mail from a certain IP range they give > > us. =A0This is the problem, I don't know how to put these IP addresses > > into exchange, and/or my Cisco 1700 router. >
> > Does anyone know how to complete this? =A0Is this true and possible to
> > be done? > > Thanks again for looking and giving any thoughts you might have! > > Mickie >
> I think you are asking how to ACL off SMTP from everywhere except the > IP-range of your 3rd party provider. =A0You would do this by creating an > access-list on the router that allows SMTP (port 25) from your SPAM > filter and nothing else. =A0I would need more information on how exactly > this spam filter works (is your email domain pointed/owned by their > servers and whatever passes the filter is sent on to your specific > mail server, or is something else going on). =A0But here is an example > of an ACL: > > access-list 101 permit tcp any host a.b.c.d eq smtp > access-list 101 deny tcp any any eq smtp > > You would then apply that ACL to your external interface on your > router: > > int <interface> > ip access-group 101 in > > Again, I would strong discourage doing anything until you have a > complete understanding of the flow of traffic (in this case mail) with > your 3rd party provider. =A0The last thing you want is an email > outage......- Hide quoted text - > > - Show quoted text - Thank you very much for your input... here the flow of traffic and additional information you requested: Our DNS records (through GoDaddy) point/redirect the mail to their servers where it is checked for SPAM and then their (spamsoap) server's send the mail on top our IP Address/mail server. Spamsoap has provided a block of IP addresses to allow within the router. I need to set these up because spammers are bypassing the scanner and mailing directing to our mail server. I'm pretty sure that what you are saying is what I need, I'm just not sure how to go about setting it up within the 1700. Thank you again for your help, Mickie | |||||||||||||
|
Posted by Trendkill on May 30, 2008, 1:55 pm
Please log in for more thread options >
> > > > On May 30, 9:50 am, mickiemell...@gmail.com wrote:
>
> > > Hello everyone,
>
> > > I want to thank everyone in advance for any information you provide.
> > > I'm going to be as straigh forward as possible and give as much > > > detail > > > as possible. >
> > > We are running Windows 2000 SBS with Exchange and I have recently
> > > moved my SPAM scanning externally outside of our building, through a > > > third-party SPAM scanning company called SpamSoap. >
> > > The issue that I am having foolows:
> > > The scanner is working correctly and stopping almost all of the SPAM. > > > However, someone is directly mailing to our IP address; as our IP is > > > static we can not change it. SpamSoap recommends locking down our > > > exchange server to only except mail from a certain IP range they give > > > us. This is the problem, I don't know how to put these IP addresses > > > into exchange, and/or my Cisco 1700 router. >
> > > Does anyone know how to complete this? Is this true and possible to
> > > be done? > > > Thanks again for looking and giving any thoughts you might have! > > > Mickie >
> > I think you are asking how to ACL off SMTP from everywhere except the
> > IP-range of your 3rd party provider. You would do this by creating an > > access-list on the router that allows SMTP (port 25) from your SPAM > > filter and nothing else. I would need more information on how exactly > > this spam filter works (is your email domain pointed/owned by their > > servers and whatever passes the filter is sent on to your specific > > mail server, or is something else going on). But here is an example > > of an ACL: >
> > access-list 101 permit tcp any host a.b.c.d eq smtp
> > access-list 101 deny tcp any any eq smtp >
> > You would then apply that ACL to your external interface on your
> > router: >
> > int <interface>
> > ip access-group 101 in >
> > Again, I would strong discourage doing anything until you have a
> > complete understanding of the flow of traffic (in this case mail) with > > your 3rd party provider. The last thing you want is an email > > outage......- Hide quoted text - >
> > - Show quoted text -
>
> Thank you very much for your input... here the flow of traffic and > additional information you requested: > Our DNS records (through GoDaddy) point/redirect the mail to their > servers where it is checked for SPAM and then their (spamsoap) > server's send the mail on top our IP Address/mail server. > Spamsoap has provided a block of IP addresses to allow within the > router. > I need to set these up because spammers are bypassing the scanner and > mailing directing to our mail server. > I'm pretty sure that what you are saying is what I need, I'm just not > sure how to go about setting it up within the 1700. > Thank you again for your help, > Mickie Then you will do exactly what i outlined above. If its a contiguous address space, you'll have one allow statement with the network address/range of their servers. If not, then you'll have to add in several allow statements. Follow it up with one deny any any eq smtp, and finally a permit ip any any at the end (else the explicit deny on the end will kill all traffic which you certainly don't want). This should clear it up. Here is an example: If their addresses are 1.1.1.0 - 1.1.1.63 and your mail server is 2.2.2.2 access-list 101 permit tcp 1.1.1.0 255.255.255.192 host 2.2.2.2 eq smtp access-list 101 deny tcp any host 2.2.2.2 eq smtp access-list 101 permit ip any any interface <external interface>
ip access-group 101 in
May want to get one other person on here to review that and make sure I didn't miss something. Statement one allows traffic from their range to your server. Statement two blocks any host from sending smtp traffic to your server (may want to do any any instead if you want SMTP blocked to everything else). Statement three allows everything else so that the implicit deny doesn't kill everything else. The last will apply the ACL inbound on your outbound interface, blocking it as the traffic comes into your network. | |||||||||||||
|
Posted by Mickie on June 2, 2008, 11:26 am
Please log in for more thread options >
> > > > > > > > On May 30, 9:50 am, mickiemell...@gmail.com wrote:
>
> > > > Hello everyone,
>
> > > > I want to thank everyone in advance for any information you provide.=
> > > > I'm going to be as straigh forward as possible and give as much
> > > > detail > > > > as possible. >
> > > > We are running Windows 2000 SBS with Exchange and I have recently
> > > > moved my SPAM scanning externally outside of our building, through a= > > > > third-party SPAM scanning company called SpamSoap.
>
> > > > The issue that I am having foolows:
.
> > > > The scanner is working correctly and stopping almost all of the SPAM= > > > > However, someone is directly mailing to our IP address; as our IP is=
> > > > static we can not change it. =A0SpamSoap recommends locking down our=
> > > > exchange server to only except mail from a certain IP range they giv=
e
> > > > us. =A0This is the problem, I don't know how to put these IP address=
es
> > > > into exchange, and/or my Cisco 1700 router.
>
> > > > Does anyone know how to complete this? =A0Is this true and possible =
to
> > > > be done?
> > > > Thanks again for looking and giving any thoughts you might have! > > > > Mickie >
> > > I think you are asking how to ACL off SMTP from everywhere except the
an
> > > IP-range of your 3rd party provider. =A0You would do this by creating = > > > access-list on the router that allows SMTP (port 25) from your SPAM
ly
> > > filter and nothing else. =A0I would need more information on how exact= > > > this spam filter works (is your email domain pointed/owned by their
> > > servers and whatever passes the filter is sent on to your specific > > > mail server, or is something else going on). =A0But here is an example= > > > of an ACL:
>
> > > access-list 101 permit tcp any host a.b.c.d eq smtp
> > > access-list 101 deny tcp any any eq smtp >
> > > You would then apply that ACL to your external interface on your
> > > router: >
> > > int <interface>
> > > ip access-group 101 in >
> > > Again, I would strong discourage doing anything until you have a
> > > complete understanding of the flow of traffic (in this case mail) with= > > > your 3rd party provider. =A0The last thing you want is an email
> > > outage......- Hide quoted text - >
> > > - Show quoted text -
>
> > Thank you very much for your input... here the flow of traffic and
> > additional information you requested: > > Our DNS records (through GoDaddy) point/redirect the mail to their > > servers where it is checked for SPAM and then their (spamsoap) > > server's send the mail on top our IP Address/mail server. > > Spamsoap has provided a block of IP addresses to allow within the > > router. > > I need to set these up because spammers are bypassing the scanner and > > mailing directing to our mail server. > > I'm pretty sure that what you are saying is what I need, I'm just not > > sure how to go about setting it up within the 1700. > > Thank you again for your help, > > Mickie >
> Then you will do exactly what i outlined above. =A0If its a contiguous > address space, you'll have one allow statement with the network > address/range of their servers. =A0If not, then you'll have to add in > several allow statements. =A0Follow it up with one deny any any eq smtp, > and finally a permit ip any any at the end (else the explicit deny on > the end will kill all traffic which you certainly don't want). =A0This > should clear it up. =A0Here is an example: > > If their addresses are 1.1.1.0 - 1.1.1.63 and your mail server is > 2.2.2.2 > > access-list 101 permit tcp 1.1.1.0 255.255.255.192 host 2.2.2.2 eq > smtp > access-list 101 deny tcp any host 2.2.2.2 eq smtp > access-list 101 permit ip any any > > interface <external interface> > ip access-group 101 in > > May want to get one other person on here to review that and make sure > I didn't miss something. =A0Statement one allows traffic from their > range to your server. =A0Statement two blocks any host from sending smtp > traffic to your server (may want to do any any instead if you want > SMTP blocked to everything else). =A0Statement three allows everything > else so that the implicit deny doesn't kill everything else. > > The last will apply the ACL inbound on your outbound interface, > blocking it as the traffic comes into your network.- Hide quoted text - > > - Show quoted text - Thanks for getting back to me about this, I am trying what you have outlined and I am getting an error when I try to type in "access-list" My Cisco is telling me that it is an invaild place holder/marker. Please let me know what I should....thanks, Mickie | |||||||||||||
| Similar Threads | Posted |
| HELP - Exchange & Cisco 1700 Lockdown from SPAM | May 30, 2008, 9:50 am |
| Exchange/cisco VPN client failing | May 20, 2006, 4:32 pm |
| Cisco Unity + Exchange Issue | June 27, 2007, 5:48 pm |
| Re: MAC address lockdown | June 24, 2005, 3:39 am |
| Re: MAC address lockdown | June 24, 2005, 2:07 pm |
| Re: MAC address lockdown | June 27, 2005, 5:23 pm |
| PIX 515R - EMAIL LOCKDOWN | August 1, 2007, 10:25 am |
| ACL to block SPAM sources | May 17, 2008, 3:40 am |
| Cisco Security Response: Internet Key Exchange Resource Exhaustion Attack | July 27, 2006, 2:33 pm |
| Cisco CM Express with Exchange 2007 Unified Messaging (Utilizing Dynamips) | May 13, 2008, 1:44 pm |
| Cisco 1700 | July 27, 2006, 9:24 pm |
| cisco 1700 | February 6, 2007, 11:23 am |
| Cisco 1700 and DNS cache | July 18, 2005, 8:35 pm |
| Cisco 1700 Problems | November 17, 2005, 9:41 am |
| Cisco 1700 Router | July 25, 2008, 8:00 am |
>
> I want to thank everyone in advance for any information you provide.
> I'm going to be as straigh forward as possible and give as much
> detail
> as possible.
>
> We are running Windows 2000 SBS with Exchange and I have recently
> moved my SPAM scanning externally outside of our building, through a
> third-party SPAM scanning company called SpamSoap.
>
> The issue that I am having foolows:
> The scanner is working correctly and stopping almost all of the SPAM.
> However, someone is directly mailing to our IP address; as our IP is
> static we can not change it. SpamSoap recommends locking down our
> exchange server to only except mail from a certain IP range they give
> us. This is the problem, I don't know how to put these IP addresses
> into exchange, and/or my Cisco 1700 router.
>
> Does anyone know how to complete this? Is this true and possible to
> be done?
> Thanks again for looking and giving any thoughts you might have!
> Mickie