Re: SMTP and tcp ports

Bob Simon wrote:
On Wed, 30 Apr 2008 12:04:37 -0400, News Reader <user@xxxxxxxxxxx>
wrote:

Bob Simon wrote:
I have an access list applied inbound on the outside interface of a
2600 connected to the edge router. I found that I needed smtp ACEs
for both the source port and for the destination port to our exchange
server.
50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
Matching SMTP exchanges with external SMTP servers (source port 25).
This ACE would not match clients (source port >1023).

60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
This ACE currently matches clients (destination port 25). Servers were matched on the previous ACE.

If you eliminate ACE # 50, clients and servers would match ACE # 60.

Are you saying that the way servers assign the tcp ports is different
from the way clients assign the tcp ports?

No, I don't think I have suggested that.


I thought that in either case, the host that initiates the session
uses a random source port and a well known destination port with
return packets coming back to the well known source port and a
destination port matching the originating packet.

The original source port becomes the destination port on the return path, and visa versa.

You need to understand the operational behavior of the protocols you are using. Source ports are NOT always random.

e.g.: A Windows client initiates an NTP (or perhaps SNTP) connection to an NTP server on the router:

The host uses a "source port >1023", and a destination port of 123.

A Cisco switch initiates an NTP connection to an NTP server on the router:

The switch uses a "source port of 123", and a destination port of 123.


I was suggesting:

* That an external SMTP server initiating a connection to your server would likely be using TCP source port 25 which matches your ACE #50 (permit tcp any eq smtp host 192.168.0.20).

* That an external SMTP client initiating a connection to your server would be using TCP source port >1023, and would NOT match ACE #50 because you have specified the TCP source port 25 (smtp) requirement.

* That Both of the prior described connection attempts would match ACE #60 (permit tcp any host 192.168.0.20 eq smtp log) because "only" the TCP destination port 25 (smtp) has been specified in the ACE, and is common to both connection attempts. However, because inbound connections from SMTP servers matched ACE #50, the packets are forwarded without being compared to ACE #60.

Since ACE #60 would match both connection types, you could eliminate ACE #50.

Best Regards,
News Reader
.

Relevant Pages

  • Re: SMTP and tcp ports
    ... I found that I needed smtp ACEs ... This ACE would not match clients (source port>1023). ... This ACE currently matches clients. ... A Cisco switch initiates an NTP connection to an NTP server on the router: ...
    (comp.dcom.sys.cisco)
  • Re: SMTP and tcp ports
    ... I found that I needed smtp ACEs ... This ACE would not match clients (source port>1023). ... A Cisco switch initiates an NTP connection to an NTP server on the router: ...
    (comp.dcom.sys.cisco)
  • Re: FTP server
    ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ...
    (microsoft.public.windowsce.embedded)
  • Re: SMTP and tcp ports
    ... I found that I needed smtp ACEs ... This ACE would not match clients (source port>1023). ... This ACE currently matches clients. ... A Cisco switch initiates an NTP connection to an NTP server on the router: ...
    (comp.dcom.sys.cisco)
  • Re: FTP server
    ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ...
    (microsoft.public.windowsce.embedded)