Restrict port 25 to one IP address

Forum|Forum|19 years ago
May 9, 2007
4 replies
4639 views

Hi There We are currently running a Fortigate 60ADSL router. Port 25 is forwarded to the exchange server for incoming mail. How to I configure the firewall to ONLY allow connections to port 25 from only ONE public IP address? The reason I ask is that we have a barracuda spamfilter in a data centre, this receives all the mail for the domain name (the MX record points to that spam filter), the barracuda then sends the mail to the public IP address of our network, so we really should lock down the port 25 forwarding to only accept connections from the barracuda' s public ip address. I would like to do this in the fortinet firewall, rather than the exchange server itself. How do I configure such a setup? Firmware version: Fortigate-60ADSL 3.00,build0406,070126 Help would be much appreciated Regards Travis

romanr

New Member

Just enter your Spam-Filter-Box as the source address in the policy for your mail-server and don' t allow " any" . cheers.

A

Anonymous_UserAuthor

Contributor

Hi There Thanks for your reply. I dont quite understand what you mean by don' t allow " any" . This is how I have setup the policy: Clicked Firewall --> Policy Create New Source Interface/Zone: adsl Source Address Name: <IP Address of Spam Filter> Destination Interface/Zone: internal Destination Address Name: <Selected the VIP I created for SMTP port forwarding> Schedule: Always Service: SMTP Action: Accept Box for NAT is checked All other boxes unchecked Here are the settings for the SMTP Virtual IP I created: Name: SMTP External Interface: adsl Type: Static NAT External IP Address/Range: 0.0.0.0 Mapped IP Address/Range: <LAN IP Address of Mail Server> Port Forwarding box is Checked Protocol: TCP External Service Port: 25 Map to Port: 25 It' s very strange, even though I configured the firewall policy with the source address, it still accepts connections to port 25 from any IP address. I am baffled as to why it doesn' t work, I' ve most likely missed something simple. Help is much appreciated. Regards Travis

romanr

New Member

and there is no other policy using this vip and allowing more then just for spam-filter server?

A

Anonymous_UserAuthor

Contributor

yep, nothing else is using that VIP Regards Travis

doshbass

New Member

There are a couple of possibilities, 1) The public address of teh barracuda is defined wrongly, perhaps a 0.0.0.0 mask instead of 255.255.255.255 2) There is another FW policy that is overriding this one. Another one may be that a different VIP somewhere has been defined with teh LAN mail server address by mistake. Jon

thors_hammer

New Member

I think you can uncheck the NAT-box in the firewall-policy, cause it' s not needed for inbound connections with VIPs. Perhaps that' s the solution of your problem...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded