Re: Cisco PIX Version 6.3(3) SMTP Problem

[Devdas Bhagat <devdas () dvb homelinux org>]

On 06/07/05 08:51 -0400, Paul D. Robertson wrote:
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
>
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes from
> > one of the Postini servers. Can the PIX be configured to accomplish this?
>
> Almost any firewall can, however you'll be out of e-mail if the provider
> has to put up a new server because of an attack, failure, problem or
> address change.  It's probably better to configure your mail server to
> reject based on forward/reverse lookups, since you're dealing with one
> zone, you'll be able to cache the lookups pretty well.
I would ask Postini for the network where their recipient verificaion
will come from. Then allow connections to port 25 of my mailserver from
only that subnet, and block everything else.

> Note that Postini rejects mail if your server isn't reachable by it- so
> it's not all that resilient if you're under attack or having server
> issues[1].  Personally, I'd rather run Mailscanner on a Postfix instance
> than outsource something as critical as e-mail.

Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
loss. Use amavisd-new instead.

As I understand it, Postini should cache recipient information, so you
will have a slightly better chance if your server goes under attack. I
concur with Paul's suggestion, though I would recommend Postfix +
Amavisd-new + Clamav + SpamAssassin on your Unix of choice.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards