Re: How to Block all outbound SMTP except Exchange Server

On Sat, 21 Jul 2007 15:43:39 -0000, GNY wrote:

On Jul 20, 10:31 pm, gc...@xxxxxxxxxxxxx wrote:
On Jul 20, 5:37 pm, "Ross" <nos...@xxxxxxxx> wrote:

Hi there,
I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
inside the firewall, which are all working well.
Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
except from my company's Exchange server.
Any idea about how to do this is appreciated.

access-list SMTP-CONTROL permit tcp host any eq smtp ! Where is the IP address of Exchange
access-list SMTP-CONTROL deny tcp any any eq smtp
access-list SMTP-CONTROL permit ip any any ! implicit deny any any
access-group SMTP-CONTROL in interface inside

Since the access-list gets executed in order, line one runs first and
wont make it to line two unless it is a TCP connection on port 25 with
a different IP address. Remember if anyone trys to send any mail
except the exchange server it will be blocked.

Sorry to thread jack .. But on an ASA if I was trying to do something
similar would I have to assign this access-list to an interface? Or is
this only for IOS routers where you have to assign the ACL to an

Thanks and sorry again ..


The example above is for a Pix version 7.x, which is essentially the same
as an ASA. So yes, you have to apply the access-list to an interface.