Configure Firewall to block smtp access to server on internal network

Posted on 2011-05-01
Medium Priority
Last Modified: 2012-06-27
Hello I noticed I have a security flaw in my system whereby if I am located internally of the network and telnet to my mail server I can create an email message and send it without authenticating, thereby allowing users to create a bogus senders address and spam valid senders within our environment. I was looking at potential ways of preventing this from happening. One thought was to to create a lan to lan firewall rule allowing access on port 25 only on the email server, so deny all others lan to lan traffic on port 25 just wasn't sure if I would be impacting on other areas working effectively. for example my proxy server emails out when it has an issue etc. so might need to restrict it to all servers, unless someone else can offer some alternative suggestions to prevent this behaviour. My email system is groupwise 8 and I have a cyberoam firewall.
Question by:elschott
LVL 18

Assisted Solution

jmeggers earned 1000 total points
ID: 35502562
As far as I know, there's no way to prevent telnet access to an e-mail server, but I suppose perhaps that depends on the e-mail server itself.  One option, as you've alluded is to protect the e-mail server with an ACL in front of it.  My suggestion would be to put the e-mail server in a DMZ hanging off the firewall, and then you can specifically control what protocols are allowed access to the server.
LVL 22

Accepted Solution

chakko earned 1000 total points
ID: 35503160

In general the Firewall controls traffic between networks.  On the local LAN you probably can't accomplish what you want.  I say maybe because perhaps there is some crazy configuration which could get the job done - but I don't know of any.

You should check into the SMTP security (or relay) settings on your Email server.  I don't know groupwise, but other Email servers normally have a place where you can control who connects to it.  In MS Exchange you could set a configuration to only allow a specific list of IP address which can connect to the SMTP service.  The problem you may face is that Internet email (coming from the internet) may be blocked if you set a static list of IP addresses.  It depends on your mail server configuration options.


Author Closing Comment

ID: 35579749
not the slam dunk I had hoped for but useful none the less thanks

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question