Hi You are correct. Only udp/53 needs to be open for dns queries to your dns server. The other solution is to have a split dns 'ie. Have an internal dns server for internal lookups, and have an external authoritative dns server for your domain only resolving lookups for your mail server and any other publicly accessible servers.
Eddie Filer Senior Consultant Deloitte & Touche Enterprise Risk Services Information Security Services -----Original Message----- From: Mike V [mailto:[EMAIL PROTECTED]] Sent: 04 December 2001 08:42 To: Sa?a Popravak; wali; [EMAIL PROTECTED] Subject: Re: pix firewall and mail server I was under the impression that 53/tcp was for zone xfers, and 53/udp was for queries, so you may want to confirm to avoid opening more than you need to. Mike ----- Original Message ----- From: "Sa?a Popravak" <[EMAIL PROTECTED]> To: "wali" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, December 03, 2001 1:51 AM Subject: Re: pix firewall and mail server > You should also open ports 53/tcp and 53/udp for dns queries so one can find > your mail server by checking MX record from your dns. > > Best wishes, > Pope > > > > > > ----- Original Message ----- > From: "wali" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, 29.November 2001 14:50 > Subject: pix firewall and mail server > > > > hi > > i have a cisco pix firewall > > and i only have a mail server(MS exchange) on nt server > > and alot of workstations on nt workstation > > i made a nating for the pcs to work in virtual ips > > and only the mail server take a real ip(the traffic came to real and the > > firewall pass it to the virtual) > > and i only want the out side traffic came to mail ports only > > so i opened the 25 tcp port and close any comming other ports > > but the servr stop to recieve mails > > wahen i allow all traffic on except icmp it works > > is there any other ports should be open to allow the mail server to = > > recieve mails > > > > > > >
