topic Re: Outgoing SMTP in General Topics

Outgoing SMTP

BobW — Wed, 29 Jan 2014 16:39:53 GMT

It used to be best practice to not allow outgoing SMTP except from the primary server. I am finding more and more applications have a dependency of allowing SMTP outgoing. I am curious what others are doing with regard to these dependencies.

Thanks,

Bob

Re: Outgoing SMTP

HULK — Wed, 29 Jan 2014 18:28:21 GMT

Hello Bob,

Please go through this discussion once : Re: Application Dependency PAN-OS 5.0.0 more >>>>>> hope it will help you to understand How application dependencies works on PAN firewall.

Related link: Application Research Center

Thanks

Re: Outgoing SMTP

BobW — Thu, 30 Jan 2014 16:47:46 GMT

Thanks for your suggestion, however, I am more interested in if others are letting SMTP for all of the users who's apps require it.

Bob

Re: Outgoing SMTP

HITSSEC — Fri, 31 Jan 2014 02:40:02 GMT

Bob,

We only allow only our smtp gateway (Hub transport) to send email outbound. We force application servers to relay off the Hub transport. We control what servers are allowed to relay by using an access control list on the hub transport. I am assuming you question is a business policy / process issue.

Hope this helps.

Phil

Re: Outgoing SMTP

BobW — Fri, 31 Jan 2014 03:12:10 GMT

Yes that is helpful. It sounds more like I am used to in the past. I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587. I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS.

Any additional thoughts would be appreciated,

Bob

Re: Outgoing SMTP

pulukas — Sat, 01 Feb 2014 17:20:26 GMT

you could try creating an outbound allow smtp policy and have it flagged for the application of all the popular online mail services.

If the application awareness does not extend to smtp, then you could manually determine the smtp server destinations from these services mx records. then create an outbound destination based rule that permits smtp to these services but denies it more generally.

Re: Outgoing SMTP

darren_g — Tue, 04 Feb 2014 23:50:11 GMT

BobW wrote:

Any additional thoughts would be appreciated,

Bob

I deny it from everything except our authorised email gateway and just ignore the application dependency warnings I get every time I commit a config change.

Re: Outgoing SMTP

msullivan — Wed, 05 Feb 2014 20:52:34 GMT

You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall. The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place. That of course, can impede your business processes.

Cheers,

Mike

Re: Outgoing SMTP

darren_g — Thu, 06 Feb 2014 01:01:03 GMT

msullivan wrote:

Cheers,

Mike

Which is exactly why I did it - some piece of i-Crap was sending email using SMTP and identifying itself as "localhost.localdomain", and I ended up in a blacklist somewhere which stopped my regular SMTP relay from working, despite it being configured correctly.

Re: Outgoing SMTP

BobW — Sat, 08 Feb 2014 19:52:37 GMT

So what I have done is:

Started sending our legit SMTP traffic through our spam filtering service (MXLogic in our case).
Force all legit SMTP outgoing from our server to a particular external IP address.
Allow SMTP from client apps to go out a group of 10 IPs via their rules.

At least that will keep my primary IP off of any black lists.

Bob

Re: Outgoing SMTP

pulukas — Sat, 08 Feb 2014 20:04:26 GMT

Nice summary.

Using a different nat pool for the public or web browsing segments as opposed to your primary smtp or other servers is a good practice. Keeps the bot net infections from poisoning the reputation of your production traffic.