[isalist] Re: Limit SMTP connections from several subnets in ISA 2000

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 5 Jan 2007 13:23:39 -0600

Now, THAT would smell bad!
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- Microsoft Firewalls (ISA)

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
        Sent: Friday, January 05, 2007 1:20 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Limit SMTP connections from several
subnets in ISA 2000
        
        
        Can we get back on subject... or do I have to put a hardware
firewall in?
        
        
        On 1/5/07, Jim Harrison <Jim@xxxxxxxxxxxx > wrote: 

                Which; playing with the kitties or being fecious?

                :-p

                 

                From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Thor (Hammer of God)
                Sent: Friday, January 05, 2007 10:42 AM 
                
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Limit SMTP connections from
several subnets in ISA 2000

                

                 

                Wouldn't that smell bad?
                
                t
                
                
                On 1/5/07 9:25 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
spoketh to all:

                "I was just being facetious" - I see; too much playing
with the kitties the past two weeks, I guess...  I prefer "being
fecious", but that one seems to elude most folks...
                 
                "SMTP NAT and source IP packet filtering so that I can
specify the two Internet subnets that are permitted through." - this is
only possible using Server Publishing; as I stated, packet filters are
only useful for ISA-local services.  Server Publishing rules allow
exceptions that you can use to block unwanted source IPs.
                 
                "need to deny anonymous SMTP connections" - that's a
completely different-colored barrel of horsemonkeys. I think you mean
"unknown"?  ISA cannot authenticate SMTP connectio0ns at all.
                 
                
                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5D>  On Behalf Of Danny
                Sent: Friday, January 05, 2007 9:13 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Limit SMTP connections from
several subnets in ISA 2000
                 
                On 1/5/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

                
                Nope; that's not true, either.

                
                
                I was just being facetious. I have been inspired by:
http://www.tacteam.net/openport.htm

                
                
                SMTP Server Publishing gives you the SMTP  Filter and
(with ISA 2000 & 2004), the Message Screecher.]

                
                
                For this requirement I just need an SMTP NAT and source
IP packet filtering so that I can specify the two Internet subnets that
are permitted through. 

                
                
                This is far more capable than the "zealot technique".
                
                It's packet filters that are for the "openaport" fuuls
and they only apply to services operating on the ISA itself.
                
                
                
                Is this an SBS deployment?

                
                
                Not in the Microsoft SBS software sense, but maybe in
employee count. There is a dedicated ISA server and dedicated Exchange
server. The change is that email protection has been outsourced to
Postini and I need to deny anonymous SMTP connections from the rest of
the Internet. 
                
                ...D

                
                
                From: isalist-bounce@xxxxxxxxxxxxx [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
                Sent: Friday, January 05, 2007 8:24 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Limit SMTP connections from
several subnets in ISA 2000
                
                 
                
                Actually Mr. Teacher, can I have that back. I want to
say, at the end of the day, it is the packet filters. :) Server
Publishing rules in ISA 2000 are just for all of the "hardware firewall"
zealots.
                
                However, in appears as though I can only specify one
source subnet per packet filter. 
                
                ...D
                
                On 1/5/07, Danny <nocmonkey@xxxxxxxxx> wrote:
                
                Server publishing, I believe, but ISA 2000 is like MS02
security bulletins to me.
                
                Thanks,
                
                ...D
                
                 
                
                On 1/3/07, Jim Harrison < Jim@xxxxxxxxxxxx
<mailto:Jim@xxxxxxxxxxxx> <mailto:Jim@xxxxxxxxxxxx>  > wrote:
                
                How is the SMTP service made public; server publishing
rules or packet filters?
                
                
                
                From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
<mailto:isalist-bounce@xxxxxxxxxxxxx>  [mailto:
isalist-bounce@xxxxxxxxxxxxx <mailto:isalist-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Danny
                Sent: Wednesday, January 03, 2007 8:17 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Limit SMTP connections from several
subnets in ISA 2000
                
                 
                
                Been awhile since I used ISA 2000... what is the best
way to restrict SMTP connections from several specific Internet IP
subnets?
                
                Thanks.

                All mail to and from this domain is GFI-scanned. 

                
                 

                 

                All mail to and from this domain is GFI-scanned.




        -- 
        CPDE - Certified Petroleum Distribution Engineer
        CCBC - Certified Canadian Beer Consumer 

Other related posts: