Outgoing SMTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Outgoing SMTP

L4 Transporter

It used to be best practice to not allow outgoing SMTP except from the primary server.  I am finding more and more applications have a dependency of allowing SMTP outgoing.  I am curious what others are doing with regard to these dependencies.

Thanks,

Bob

10 REPLIES 10

L7 Applicator

Hello Bob,

Please go through this discussion once : Re: Application Dependency PAN-OS 5.0.0 more  >>>>>> hope it will help you to understand How application dependencies works on PAN firewall.

Related link: Application Research Center

Thanks

L4 Transporter

Thanks for your suggestion, however, I am more interested in if others are letting SMTP for all of the users who's apps require it.

Bob

L4 Transporter

Bob,

We only allow only our smtp gateway (Hub transport) to send email outbound.  We force application servers to relay off the Hub transport.  We control what servers are allowed to relay by using an access control list on the hub transport.  I am assuming you question is a business policy / process issue.

Hope this helps.

Phil

Yes that is helpful.  It sounds more like I am used to in the past.  I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587.  I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS.

Any additional thoughts would be appreciated,

Bob

L7 Applicator

you could try creating an outbound allow smtp policy and have it flagged for the application of all the popular online mail services.

If the application awareness does not extend to smtp, then you could manually determine the smtp server destinations from these services mx records.  then create an outbound destination based rule that permits smtp to these services but denies it more generally.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

BobW wrote:

Yes that is helpful.  It sounds more like I am used to in the past.  I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587.  I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS.

Any additional thoughts would be appreciated,

Bob

I deny it from everything except our authorised email gateway and just ignore the application dependency warnings I get every time I commit a config change.

L3 Networker

You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall.  The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place.  That of course, can impede your business processes.

Cheers,

Mike

msullivan wrote:

You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall.  The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place.  That of course, can impede your business processes.

Cheers,

Mike

Which is exactly why I did it - some piece of i-Crap was sending email using SMTP and identifying itself as "localhost.localdomain", and I ended up in a blacklist somewhere which stopped my regular SMTP relay from working, despite it being configured correctly.

So what I have done is:

  • Started sending our legit SMTP traffic through our spam filtering service (MXLogic in our case).
  • Force all legit SMTP outgoing from our server to a particular external IP address.
  • Allow SMTP from client apps to go out a group of 10 IPs via their rules.

At least that will keep my primary IP off of any black lists.

Bob

Nice summary.

Using a different nat pool for the public or web browsing segments as opposed to your primary smtp or other servers is a good practice.  Keeps the bot net infections from poisoning the reputation of your production traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 5157 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!