Firewall and SPF changes

Customers using Cisco PIX or ASA firewalls

We suggest the SMTP Fix Up or Inspect ESMTP settings be disabled on your firewall prior to setting up your MX Logic® service.

Customers using MX Logic Outbound Message Filtering

We recommend that you test for and disable any open relays on your mail server or network. Open relays are a major security concern, which if not corrected, can result in the immediate shutdown of Outbound Message Filtering. Follow the steps below to properly lock down SMTP to your mail server.

Customers using firewalls with built-in spam filtering (i.e., Barracuda)

Some firewalls using built-in spam filtering may block some MX Logic IP addresses. If you use such an appliance and it is behind another firewall, it is recommended you also add the MX Logic IP ranges to the appliance so that traffic from MX Logic is accepted. Not doing so can cause intermittent interruptions to email delivery. Note that some older versions of these appliances to not allow input of IP addresses/ranges. In this case, it is recommended that the appliance be disabled/removed from service, as MX Logic will provide the same type of spam filtering with a more user-friendly configuration.

Securing your network

We recommend that customers using the Email Defense Service for inbound mail filtering disable any SPF check and/or rejection, based on SPF failures. This will prevent delivery difficulties when a recipient sees the message as being sent by MX Logic, as opposed to the actual sender.

To test connectivity from MX Logic:

1.  Login to the Control Console

2.  Click Email Defense

3.  Click Setup

4.  Ensure the SMTP Host Address, Port and Preferences are correct

  • If you needed to make a correction, be sure to click save.

5.  Click Test Connectivity

Once you have ensured that mail is flowing properly from MX Logic, we recommend you restrict connections to your mail server to accept connections only from MX Logic.

The preferred setting is to include the Classless Inter-Domain Routing (CIDR) for the entire Class 8 C notation. Alternate settings are also provided below.

Preferred Setting

If your firewall solution accepts Classless Inter-Domain Routing (CIDR) and can support Class 8 C notation please include the following:

CIDR Starting IP Ending IP
208.65.144.0/21 208.65.144.0 208.65.151.255
208.81.64.0/22 208.81.64.0 208.81.67.255

Alternate Setting (1) If your firewall solution accepts Classless Inter-Domain Routing (CIDR) and only supports Class 1 C notation, you will need to include the following entries to the entire subnet:

CIDR Starting IP Ending IP
208.65.144.0/24 208.65.144.0 208.65.144.255
208.65.145.0/24 208.65.145.0 208.65.145.255
208.65.146.0/24 208.65.146.0 208.65.146.255
208.65.147.0/24 208.65.147.0 208.65.147.255
208.65.148.0/24 208.65.148.0 208.65.148.255
208.65.149.0/24 208.65.149.0 208.65.149.255
208.65.150.0/24 208.65.150.0 208.65.150.255
208.65.151.0/24 208.65.151.0 208.65.151.255
208.81.64.0/24 208.81.64.0 208.81.64.255
208.81.65.0/24 208.81.65.0 208.81.65.255
208.81.66.0/24 208.81.66.0 208.81.66.255
208.81.67.0/24 208.81.67.0 208.81.67.255

Alternate Setting (2)

If your firewall solution does not accept Classless Inter-Domain Routing (CIDR) notation, you will need to include the starting and ending IP address for either the Class 8 C addresses or the Class 1C addresses, which are included above.

Least Desirable Setting

If your firewall does not accept Classless Inter-Domain Routing or IP starting and ending ranges, you can download a complete listing of IPs athttp://www.mxlogic.com/configtest/validiplist.txt.

Any of the above changes can be done by creating a firewall rule or by restricting access at the server level. We highly recommend that you lock down these subnets at your firewall as the priority preference. Please consult with your network administrator before making any changes. For additional information regarding the restriction of IP addresses, please refer to instructions from your firewall setup or from your firewall provider.

 

© 2009 EasyStreet Online Services, Inc. All rights reserved.
EasyStreet and the EasyStreet logo are registered trademarks of EasyStreet Online Services. Certain other names, logos, designs, titles, words or phrases on this site may constitute trademarks, servicemarks or tradenames of EasyStreet or other entities, which may be registered in certain jurisdictions.