Configuring a NetScreen Firewall for an SMTP server from the CLI

If you wish to configure a Juniper Networks NetScreen firewall to allow email to be sent to accounts on a Simple Mail Transfer Protocol (SMTP) server on the trusted side of the firewall from a command line interface (CLI), you can establish a Secure Shell (SSH) connection to the system and take the steps below. Note: these steps are for a system that isn't using network address translation (NAT). For instructions on how to configure a NetScreen Firewall that is using NAT from the web-based interface used to manage the firewall, see Configuring a NetScreen Firewall for an Internal SMTP Server or see Viewing Policies and Configuring a Policy for FTP for the steps that can be used from the CLI interface via an SSH connection when a virtual IP (VIP) address is used with NAT.

If you don't already have an address in the firewall's address book for the email server, create one. E.g., supposing the IP address of the system, which is on the trusted, internal side of the firewall is and it is named hugo, the command below could be used:

netscreen-> set address "Trust" "hugo" 

The address after the IP address is the subnet mask that is used for a host IP address. You can also include a comment at the end of the command with some identifying information regarding the system, if you wish, e.g., set address "Trust" "hugo" "Email server".

You could view all addresses in the address book for the trusted side of the firewall with the command get address trust. If you just want to see the newly created entry for hugo, you could use get address trust | include hugo.

If you want to see the existing rules, aka policies, in the firewall, you can use the get policy command. To configure a new rule to allow SMTP connections to the email server, you need to specify that the service is "Mail" as that is the predefined service for connections to port 25, the well-known port used for SMTP. You can see the predefined services for email using the command get service | include Mail.

netscreen-> get service | include Mail
get service | include Mail
IMAP                         6         143 email              30    Pre-defined 
MAIL                         6          25 email              30    Pre-defined 
POP3                         6         110 email              30    Pre-defined 

A set policy command similar to the one below can be used to set the policy:

netscreen-> set policy from untrust to trust Dragon hugo MAIL permit
policy id = 18

In the above example, I am permitting connections on the MAIL port, i.e. port 25, from the untrusted interface on the firewall to the trusted interface, but I am only allowing that connectivity from one system on the untrusted side. That system, which will be allowed to connect to port 25 on hugo, is named Dragon, i.e., there's an address book entry that maps the name Dragon to the IP address of the source system. If I wished to allow connectivity from any system, I would use "any", instead of "Dragon". The policy id assigned to the new policy is 18; I could have started the command with set policy id num and specified a particular number for num, e.g. set policy id 3, if I knew from examining the existing policies that there was currently none numbered "3". I can view the details for the newly created policy with the command get policy id 18. - Your tech ebook super store
ns5xp-> get policy id 18
name:"none" (id 18), zone Untrust -> Trust,action Permit, status "enabled"
src "Dragon", dst "hugo", serv "MAIL"
Policies on this vpn tunnel: 0
nat off, url filtering OFF
vpn unknown vpn, policy flag 0000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/-1
No Authentication
No User, User Group or Group expression set

Be sure to enter the save command, if you wish to save the newly created firewall rule, else it will be gone if the firewall reboots. If you configure the rule and need to verify the traffic is passing through the firewall, you can use the debug command to do so as explained at

Related Articles

  1. Configuring a NetScreen Firewall for an Internal SMTP Server
    Created: April 12, 2009
    MoonPoint Support
  2. Viewing Policies and Configuring a Policy for FTP
    Created: June 28, 2015
    MoonPoint Support
  3. Configuring Juniper NetScreen firewall rule from command line
    Created: January 6, 2015
    MoonPoint Support


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px