Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

• Previous message: Gregory Hicks: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Next in thread: Paul Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Reply: Paul Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 6 Jul 2005 22:57:30 +0530

On 06/07/05 08:51 -0400, Paul D. Robertson wrote:
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
>
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes from
> > one of the Postini servers. Can the PIX be configured to accomplish this?
> >
>
> Almost any firewall can, however you'll be out of e-mail if the provider
> has to put up a new server because of an attack, failure, problem or
> address change. It's probably better to configure your mail server to
> reject based on forward/reverse lookups, since you're dealing with one
> zone, you'll be able to cache the lookups pretty well.
>
I would ask Postini for the network where their recipient verificaion
will come from. Then allow connections to port 25 of my mailserver from
only that subnet, and block everything else.

> Note that Postini rejects mail if your server isn't reachable by it- so
> it's not all that resilient if you're under attack or having server
> issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
> than outsource something as critical as e-mail.

Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
loss. Use amavisd-new instead.

As I understand it, Postini should cache recipient information, so you
will have a slightly better chance if your server goes under attack. I
concur with Paul's suggestion, though I would recommend Postfix +
Amavisd-new + Clamav + SpamAssassin on your Unix of choice.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Gregory Hicks: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Next in thread: Paul Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Reply: Paul Robertson: "Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]