Configure Firewall to block smtp access to server on internal network

Posted on 2011-05-01
Last Modified: 2012-06-27
Hello I noticed I have a security flaw in my system whereby if I am located internally of the network and telnet to my mail server I can create an email message and send it without authenticating, thereby allowing users to create a bogus senders address and spam valid senders within our environment. I was looking at potential ways of preventing this from happening. One thought was to to create a lan to lan firewall rule allowing access on port 25 only on the email server, so deny all others lan to lan traffic on port 25 just wasn't sure if I would be impacting on other areas working effectively. for example my proxy server emails out when it has an issue etc. so might need to restrict it to all servers, unless someone else can offer some alternative suggestions to prevent this behaviour. My email system is groupwise 8 and I have a cyberoam firewall.
Question by:elschott
    LVL 18

    Assisted Solution

    As far as I know, there's no way to prevent telnet access to an e-mail server, but I suppose perhaps that depends on the e-mail server itself.  One option, as you've alluded is to protect the e-mail server with an ACL in front of it.  My suggestion would be to put the e-mail server in a DMZ hanging off the firewall, and then you can specifically control what protocols are allowed access to the server.
    LVL 22

    Accepted Solution


    In general the Firewall controls traffic between networks.  On the local LAN you probably can't accomplish what you want.  I say maybe because perhaps there is some crazy configuration which could get the job done - but I don't know of any.

    You should check into the SMTP security (or relay) settings on your Email server.  I don't know groupwise, but other Email servers normally have a place where you can control who connects to it.  In MS Exchange you could set a configuration to only allow a specific list of IP address which can connect to the SMTP service.  The problem you may face is that Internet email (coming from the internet) may be blocked if you set a static list of IP addresses.  It depends on your mail server configuration options.


    Author Closing Comment

    not the slam dunk I had hoped for but useful none the less thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    This article will describe some of the best ways to process an ex-employee from an Office 365 subscription. I will describe the methods I would recommend when the data needs to be kept for the ex-employee as well as how to manage any new email as we…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now