0

Our organization has blocked all outbound SMTP traffic under the assumption that we are preventing potential botnet spamming issues which lead to blacklisted IPs. However, I've seen other organizations which have been set up to allow this and am curious what recommendations are for being the most secure and protected in regards to SMTP traffic.

An initial thought is that perhaps just unblock 465 and 587 so that only the secure channels are allowed (I don't believe you need 25 open for the secure SMTP ports to be used). But thinking further, perhaps find a list of common SMTP servers of large ISPs that would be more-or-less considered safer than (say) smtp.spammersite.ru?

Any recommendations on this?

bjb
  • 103
  • 3
  • 1
    Unblocking the "secure" ports only means there is transport security (or a potential for transport security, since STARTTLS isn't mandatory). It does not distinguish good servers from bad. – Polynomial Mar 22 '19 at 13:06
  • Depends on the organization. Businesses often restrict egress traffic whereas higher education will allow it. A great first step is to determine if any policies currently exist and if the organization needs to meet any compliance standards (eg HIPAA). – user2320464 Mar 22 '19 at 14:42

2 Answers2

2

You unblock only the ports intended for clients to send mail to their own mailserver. This would be 465 and 587. Servers on this ports should always require authentication from clients, so they can't be used by spam bots easily. Port 25 is intended to be used only to send mail from server to server. Don't allow connections there, with the exception of known mail servers in your organization, obviously.

If you have a common ISP that requires mails to be submitted on port 25, I would only ever unlock it if this is a separate server from their incoming mailserver and requires authentication.

Josef
  • 5,973
  • 26
  • 34
0

In a medium to large organization, you should have an internal mail server. In that case, the mail related protocols (SMTP, IMAP, POP and their SSL variants) should be blocked for all the internal machines except the mail server which should have unlimited input and output on the SMTP ports (normal and SSL).

In smaller organization that have no internal mail server, one external mail server should be chosen (normally the ISP one)and internal machines should be only allowed to connect to those servers through the mail related protocols. And in that case it would make sense to block port 25 and only allow 587 for client mail submission.

That way, even if a client was compromised it could not be used as an open mail relay.

Your mileage may vary: you could have first solution except for a dedicated department which could have special needs...

Serge Ballesta
  • 26,693
  • 4
  • 44
  • 89