Locking down outbound SMTP
Posted July 30th, 2008 by Matt ShadboltI’ve recently had issues with my companies IP address being blacklisted by a bunch of RBL’s (Realtime Block Lists) blocking mail delivery from our server on the basis that we are sending SPAM. We of course didn’t realize there was a rouge client on our network sending bulk unsolicited emails.
After weeding out the client – and confirming their AV was installed and up-to-date, it was now time to stop this from happening again. And its actually relitively simple.
In this (and most) instances, the virus installs a light-weight SMTP server on the client and spews email on behalf of the SPAMmers. To stop this we need to block rouge emails being sent from within our network.
My company only has one mail server so the update to our outbound Cisco ACL was simple.
Sample:
ip access-list extended sample-inbound
allow ip any host 192.168.168.100 eq SMTP
deny ip any any eq SMTP
allow ip any any (yes I know, not good practice but a good example!)
OK, so fairly straight forward. As the traffic leaves our network the outbound ACL is run through. Firstly, if the SMTP traffic is from the server (192.168.168.100) the traffic is allowed. If the traffic doesn’t map the host IP address it drops to the second line. Obviously the next line deny’s any SMTP traffic – this is the condition that will stop any other client on the network from sending mail they shouldn’t be.
Simple as that.
NOTE: Be sure you apply the ACL to the correct interface! You should apply it to the interface that is connected to the server – in this example the default gateway of the 192.168.168.x network
Tags: acl, cisco, network security, smtp
One Response
One Response to “Locking down outbound SMTP”
August 6th, 2008 at 9:05 am
this is a good plan I would also recommend that you run some tools against your mail server to see if its vulnerable in any way
you can also do antispam at the router if you wish by using http://www.spamhaus.org/drop/
regards
John Jones
http://www.johnjones.me.uk
Leave a Reply