IPSec filter to allow only sending e-mail

[Tomislav Herceg]

Hi!

I have web server secured by IPsec policy that allowed only port 80 and
443. From my application I need to send e-mail message to SMTP server.

How to create IPSec filter to allow connection to SMTP server and sending
e-mail messages from application? I don't want to install IIS SMTP service
because I only need to send e-mail.

When I configure IPsec filter as follow:
Source address: Any IP Address
Destination address: My Ip Address
Protocol: TCP, 6
From any port to port 25
Mirrored

and unsigned and assigned IPsec policy I can connect to SMTP server and
send mail. But after server restart connection to SMTP server doesn't work.
If after server restart I unsigned IPsec policy and try to connect to SMTP
server everything work (expected because I remove IPsec policy). After that
when I again assigned policy with SMTP filter connection still work.

But after restart connection doesn't work.

Any sugestion?

Tnx.

 

[Steven L Umbach]

Try this policy:
Source address: My Ip
Destination address: Any Ip [or smpt server]
From any port to port 25.
Action: allow.
I think your policy may be backwards. --- Steve

 

[Tomislav Herceg]

Try this policy:
Source address: My Ip
Destination address: Any Ip [or smpt server]
From any port to port 25.
Action: allow.
I think your policy may be backwards. --- Steve

Hi!

I have web server secured by IPsec policy that allowed only port 80 and
443. From my application I need to send e-mail message to SMTP server.

How to create IPSec filter to allow connection to SMTP server and sending
e-mail messages from application? I don't want to install IIS SMTP service
because I only need to send e-mail.

When I configure IPsec filter as follow:
Source address: Any IP Address
Destination address: My Ip Address
Protocol: TCP, 6
From any port to port 25
Mirrored

and unsigned and assigned IPsec policy I can connect to SMTP server and
send mail. But after server restart connection to SMTP server doesn't work.
If after server restart I unsigned IPsec policy and try to connect to SMTP
server everything work (expected because I remove IPsec policy). After that
when I again assigned policy with SMTP filter connection still work.

But after restart connection doesn't work.

Any sugestion?

Tnx.

I try policy that you suggested but have the same problem. When I unsigned
and after that assigned policy everything works. But after server restart
doesn't !?!. Why o why ?

 

[Steven L Umbach]

Similar policies have worked for me. I am assuming that the ipsec
policy is applied just to the IIS server. I would suggest checking Event
Viewer for clues or use a network monitor such as Netmon to watch the
traffic flow. Also use ipsecmon to try to troubleshoot connection. I have
not used Ipsec filtering in quite a while, because it is somewhat difficult
to troubleshoot compared to a personal firewall that would have some pretty
detailed logging and much easier to set up. Excellent personal firewalls are
either free for personal use or reasonably priced and well worth it. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231587
http://support.microsoft.com/default.aspx?scid=kb;en-us;313195

Try this policy:
Source address: My Ip
Destination address: Any Ip [or smpt server]
From any port to port 25.
Action: allow.
I think your policy may be backwards. --- Steve

Hi!

I have web server secured by IPsec policy that allowed only port 80 and
443. From my application I need to send e-mail message to SMTP server.

How to create IPSec filter to allow connection to SMTP server and sending
e-mail messages from application? I don't want to install IIS SMTP service
because I only need to send e-mail.

When I configure IPsec filter as follow:
Source address: Any IP Address
Destination address: My Ip Address
Protocol: TCP, 6
From any port to port 25
Mirrored

and unsigned and assigned IPsec policy I can connect to SMTP server and
send mail. But after server restart connection to SMTP server doesn't work.
If after server restart I unsigned IPsec policy and try to connect to SMTP
server everything work (expected because I remove IPsec policy). After that
when I again assigned policy with SMTP filter connection still work.

But after restart connection doesn't work.

Any sugestion?

Tnx.

I try policy that you suggested but have the same problem. When I unsigned
and after that assigned policy everything works. But after server restart
doesn't !?!. Why o why ?

 

[Tomislav Herceg]

Tomislav,

You seem to be suggesting that the problem is not with the filter itself but
that the filter is not getting applied after a server restart.

Yes that is my suspicions.

Questions:
Do the other filters get applied after the server restart?

Yes. I have filter that block all traffic and filters that allow only HTTP,
HTTPS and RDP.

Are these filters
delivered via a Local IPSec Policy or an IPSec Policy stored in the AD?

Server is in workgroup so IPsec is delivered via Local Policy.

Have you checked IPSec Monitor to see if the SMTP filters show up under your
Main Mode Generic and Specific filter lists after a reboot.

No, because I use IPsec only to protect another ports (e.g. MS SQL server
port) and only allow traffic to web. I don't use Ipsec to encrypt
communication.

If instead of un-assigning and re-assinging the policy you stop and start
policy agent do the SMTP filters work?

No. Only time that SMTP filter works is when after restart un-assigned
Ipsec policy, try telnet to SMTP server and then re-assigned Ipsec policy.

Louise
IPSec Team (MSFT)

Sincerely,
Tomislav