topic SMTP port 25 in General Topics

SMTP port 25

kdasanmartino — Wed, 06 Apr 2022 22:58:21 GMT

We are progressing to moving show services to the cloud and I'm been told that port 25 is not opened or being blocked in Palo Alto. So where do I check to find out if this is being allowed or being blocked?

Sorry this is a really basic question but I've been asked to resolve this because the regular guy has left the company..

Re: SMTP port 25

PavelK — Thu, 07 Apr 2022 02:08:39 GMT

Thank you for the post @kdasanmartino

if traffic is already flowing through Firewall, you can get this information from logs. Please navigate to: Monitor > Logs > Traffic, then you can use for example filter: ( port.dst eq 25)

If you need to test policy match, you can refer to this link: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/test-policy-rule-traffic-matches

Kind Regards

Pavel

Re: SMTP port 25

kdasanmartino — Thu, 07 Apr 2022 14:45:32 GMT

Thanks for your email. I did find that port 25 is being denied by policy. There is a policy in place for the ip address in question but don't see anything that indicates it's not allowing port 25.

Re: SMTP port 25

Adrian_Jensen — Thu, 07 Apr 2022 20:33:26 GMT

How is the policy in place for the IP address applied? Is this inbound or outbound does it match the expected traffic path?

There are many different options in the Security Policies, and many ways to set them up, but you primarily want to focus on 6 fields in your Security Policies:

Source Zone - The zone the arriving packets appear in assigned by physical interface (i.e. "Trust" for you internal connection, "Untrust" for your internet connection, etc.)... whatever your previous admin named them.
Source Address - The source IP address for the packets (could be a specific server, group, or "any" for all sources).
Destination Zone - The zone exiting packets go out.
Destination Address - The destination IP address.
Application - This is how the PaloAlto classifies the type of traffic being passed (you can specify things like "smtp" and have the PA automatically determine and follow appropriate ports/protocols).
Service - This is the specific port/protocol combination of the traffic (i.e. an object "SMTP_PORTS=TCP/25" you have defined, "any", or "application-default" where it will depend on the Application set).

You can specify any/all of those values and the PA will match the passing traffic to the most specific rule found. So if your existing policy in place is for the specific IP Address, but the Application is "web browsing", then that policy will not match the SMTP traffic and the packets will fall thru to another rule, possibly ending up at the built in "interzone-default - Deny".

Examples, your specifics may vary depending on block lists, country exceptions, etc.:

Name = "Allow inbound SMTP/POP/IMAP/HTTP/HTTPS to mail server"

SrcZone = Untrust

SrcAddr = any (you can restrict to specific IPs or geolocation regions like "US)

DstZone = DMZ

DstAddr = "mail-server" (address object you have defined under objects that points at DMZ IP 192.168.1.100)

Application = smtp,pop3,imap,web-browsing

Service = application-default

Action = Allow

Name = "Allow outbound SMTP connections from servers"

SrcZone = Trust

SrcAddr = 172.16.5.36,172.20.1.59

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Allow

Name = "Block all other outbound SMTP"

SrcZone = Trust

SrcAddr = any

DstZone = Untrust

DstAddr = any

Application = any

Service = SMTP_PORTS

Action = Deny

Re: SMTP port 25

kdasanmartino — Thu, 07 Apr 2022 22:30:02 GMT

Thanks for all the good information. My Director has ask that I do not make changes to the Palo Alto system do to the importance of the system.

thanks again.