If you have ever been blacklisted for sending spam there is a good chance the source of those emails was not your mail server but a compromised computer inside your network. So, how do you combat this? Well, the easiest way is to create access lists on your firewall to only permit your mail server to send out on port 25 (SMTP). For a Cisco ASA, this can be easily accomplished with 4 lines of code.
access-list restrict-smtp-out extended permit tcp host X.X.X.X any eq smtp
Replace X.X.X.X with the IP of your mail server that sends mail externally to the internet. The first line of code creates an access-list called “Restrict-SMTP-Out” that permits the IP address of the mail server to send traffic that is on port 25 (SMTP) to any IP address.
access-list restrict-smtp-out extended deny tcp any any eq smtp
This line continues adding onto the access list but denies all other IPs from using port 25 (SMTP).
access-list restrict-smtp-out extended permit ip any any
We finish our access-list by making sure all other traffic is allowed out.
access-group restrict-smtp-out in interface inside
We then use an access-group command to add our access list to the inside interface. In our example, our inside interface was simply called “inside”.
Then you are all done. Just make sure you remember to write your changes to memory and thoroughly test.
Leave a Reply