[isalist] Re: Limit SMTP connections from several subnets in ISA 2000

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Fri, 5 Jan 2007 12:53:42 -0500

On 1/5/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
[...]

"SMTP NAT and source IP packet filtering so that I can specify the two

Internet subnets that are permitted through." – this is only possible
using Server Publishing; as I stated, packet filters are only useful for
ISA-local services.  Server Publishing rules allow exceptions that you can
use to block unwanted source IPs.


Yes, sir.

"need to deny anonymous SMTP connections" – that's a completely

different-colored barrel of horsemonkeys.  I think you mean "unknown"?  ISA
cannot authenticate SMTP connectio0ns at all.


OK, OK, let me rephrase the requirement: There is a list of two /20 Internet
subnets to be permitted to establish SMTP connections to the Exchange
server. The rest of the Internet can go play with horsemonkeys or do an MX
lookup for the appropriate mail servers.


...D

*From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] *On

Behalf Of *Danny
*Sent:* Friday, January 05, 2007 9:13 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: Limit SMTP connections from several subnets in
ISA 2000



On 1/5/07, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote:

 Nope; that's not true, either.


I was just being facetious. I have been inspired by:
http://www.tacteam.net/openport.htm



SMTP Server Publishing gives you the SMTP  Filter and (with ISA 2000 &
2004), the Message Screecher.]


For this requirement I just need an SMTP NAT and source IP packet
filtering so that I can specify the two Internet subnets that are permitted
through.



This is far more capable than the "zealot technique".

It's packet filters that are for the "openaport" fuuls and they only apply
to services operating on the ISA itself.



Is this an SBS deployment?


Not in the Microsoft SBS software sense, but maybe in employee count.
There is a dedicated ISA server and dedicated Exchange server. The change is
that email protection has been outsourced to Postini and I need to deny
anonymous SMTP connections from the rest of the Internet.

...D



*From:* isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Danny
*Sent:* Friday, January 05, 2007 8:24 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Re: Limit SMTP connections from several subnets in
ISA 2000



Actually Mr. Teacher, can I have that back. I want to say, at the end of
the day, it is the packet filters. :) Server Publishing rules in ISA 2000
are just for all of the "hardware firewall" zealots.

However, in appears as though I can only specify one source subnet per
packet filter.

...D

On 1/5/07, *Danny* <nocmonkey@xxxxxxxxx> wrote:

Server publishing, I believe, but ISA 2000 is like MS02 security bulletins
to me.

Thanks,

...D



On 1/3/07, *Jim Harrison* < Jim@xxxxxxxxxxxx> wrote:

How is the SMTP service made public; server publishing rules or packet
filters?



*From:* isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx]
*On Behalf Of *Danny
*Sent:* Wednesday, January 03, 2007 8:17 AM
*To:* isalist@xxxxxxxxxxxxx
*Subject:* [isalist] Limit SMTP connections from several subnets in ISA
2000



Been awhile since I used ISA 2000... what is the best way to restrict SMTP
connections from several specific Internet IP subnets?

Thanks.

All mail to and from this domain is GFI-scanned.



--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer




--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

All mail to and from this domain is GFI-scanned.




--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

All mail to and from this domain is GFI-scanned.





--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2007