In article , wrote: :Ok cool. Do I need to make a deny ACL to run to prevent other mail :servers from connecting?
Everything not permitted is denied, so as long as you have been restrictive on your other ACL entries and you only permit that one source to connect to the mail server, then only it will be let through.
However, if you -have- configured for that kind of protection, then your plan of just "deleting" the entry if need be and having the backup MX work, will not work if the backup MX is inside the protected area.
One thing I have found is that if you have a backup MX configured, then hosts (especially spammers) will use it even though it is not the highest priority (lowest MX number). So... if your backup plan is to allow mail through directly to the inside server without going through your filtering service, then you would want to -change- the entry to permit everything instead of permitting just your one host.
As a practical suggestion: I would suggest that instead of directly coding,
access-list out2in permit tcp host FILTERSERVICE host MAILSYSTEM eq smtp
that instead you code,
object-group network permitted_mailers network-object host FILTERSERVICE access-list out2in permit tcp object-group permitted_mailers host MAILSYSTEM eq smtp
If you do that, then instead of having to edit the ACL line, all you would have to do to allow or disallow the public would be to alter the object group; e.g., after the above, commanding
object-group network permitted_mailers network-object any
would have the effect of -adding- "any" to the list of permitted servers, and
object-group network permitted_mailers no network-object any
would have the effect of removing the public again. That's easier than showing the access list, finding the line number, removing the old entry by line number, inserting the new entry by line number...