need to deny any device local using port 25 except my email server

FishMan
Comes here often

need to deny any device local using port 25 except my email server

need to deny any device locally from using port 25 except my email server

8 Replies 8
ww
Kind of a big deal
Kind of a big deal

Rule 1 . Allow serverIP + port25(src  or dst depending on your needs)

Rule 2   deny anyIP + port25(src or dst..)

 

Apply on the network device as close to the client as possible

FishMan
Comes here often

meraki.png Can you confirm that this is what you mean

 

thanks

ww
Kind of a big deal
Kind of a big deal

I guess its more like

Allow    Server ip, any, any, 25

Deny     Any,any,any, 25

 

KarstenI
Kind of a big deal
Kind of a big deal

The source port in an ACL typically has to be "any". Often you do not want to care about the source ports in use. Most systems use a random port > 1023 but some are also using ports < 1024. SMTP typically uses ports >1023.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
FishMan
Comes here often

sorry i have this problem, when i apply deny any any with destination port 25 my email is on queue

meraki.png

when i remove any then i allow my email to move from queue

meraki1.png

can someone help on this

KarstenI
Kind of a big deal
Kind of a big deal

For whatever reason, your allow rule does not work. Do you use TCP/25 to access the Mailserver? Test to change the port 25 to "Any" in your allow rule and see if it has hits.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Bruce
Kind of a big deal

You need a slight change to your allow rule...


To allow your mail server outbound access you need the ‘mail server’ IP address in the source IP address for the allow rule, the source port is any, the destination IP address is any, and the destination port is 25. Your mail server will likely use a ‘random’ outbound/source port, but always its own IP address, the destination will always be ‘any’ (because you don’t know what it’s connecting to), and the destination port will always be TCP port 25, since that’s the well known port that SMTP listens on.

 

Thats should get you working.

KarstenI
Kind of a big deal
Kind of a big deal

Oh, yes, it's the mail-server that needs to send mails. I was under the impression that you want to only allow access *to* the Mail server. Of course Bruce is right here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels