Link to home
Create AccountLog in
Avatar of snowdog_2112
snowdog_2112Flag for United States of America

asked on

Use IPSec policy in GPO to block outbound SMTP from workstations

I realize a *decent* router/firewall would probably do this, but I have to work with the tools available (i.e. customer too cheap to spring for a decent router).

Problem: A single public IP NAT'd to internal network with an Exchange Server on the inside.  Workstation(s) get infected and spew spam to the Internet and get the IP blacklisted, so the Exchange server can't send legitimate client mail.

Question: Is there any overwhelmeing reason *not* to use an IPSec policy in GPO to deny workstations from making TCP connections to destination port 25?

My thought is that even if the workstations get infected, they won't get the public IP blacklisted because they can't spam directly to the Internet.  While that doesn't solve the problem of the infection, it buys me time to identify and clean the machine without having to clean them off RBL's so they can send legitimate mail.

I apply the GPO at the OU where the workstation accounts are, so it only applies to the workstations and not the server.
Avatar of RWrigley
RWrigley
Flag of Canada image

In fact, many commercial virus scanners (thinking McAfee, Norton and the like) block applications from sending SMTP automatically.  Unfortunately, they usually except Outlook.

Does your client only have one public IP available?  If not, it might be worthwhile to give the exchange server its own IP address on the internet, and then you can just shutdown port 25 on the NAT altogether.
ASKER CERTIFIED SOLUTION
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of snowdog_2112

ASKER

This does actually work.  With the IPSec policy in place, the workstations are unable to make 25/tcp connections.

It may not be the bestor cleanest solution, but it might be helpful to someone.