Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
To: firstname.lastname@example.org Date: Wed, 6 Jul 2005 22:57:30 +0530
On 06/07/05 08:51 -0400, Paul D. Robertson wrote:
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes from
> > one of the Postini servers. Can the PIX be configured to accomplish this?
> Almost any firewall can, however you'll be out of e-mail if the provider
> has to put up a new server because of an attack, failure, problem or
> address change. It's probably better to configure your mail server to
> reject based on forward/reverse lookups, since you're dealing with one
> zone, you'll be able to cache the lookups pretty well.
I would ask Postini for the network where their recipient verificaion
will come from. Then allow connections to port 25 of my mailserver from
only that subnet, and block everything else.
> Note that Postini rejects mail if your server isn't reachable by it- so
> it's not all that resilient if you're under attack or having server
> issues. Personally, I'd rather run Mailscanner on a Postfix instance
> than outsource something as critical as e-mail.
Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
loss. Use amavisd-new instead.
As I understand it, Postini should cache recipient information, so you
will have a slightly better chance if your server goes under attack. I
concur with Paul's suggestion, though I would recommend Postfix +
Amavisd-new + Clamav + SpamAssassin on your Unix of choice.
firewall-wizards mailing list