We need to add a rule that would block/drop all outgoing mail except destined for certain mail servers. What is the best way to do this? Still new to MT, but learning lots!
Eric
/ip firewall filter
add chain=forward action=accept protocol=tcp dst-port=25 dst-address-list=mail_servers in-interface=LAN
add chain=forward action=drop protocol=tcp dst-port=25 in-interface=LAN
Alternatively you can redirect all port 25 traffic to one of your mail servers with a NAT rule instead of just dropping SMTP to mail servers you don’t know about.
destined to certain servers, or sent via certain servers? RouterOS can’t filter messages, that you need to do in the mail server that sends them.
Destined to certain servers. We just want to drop everything that isn’t meant for our specific mail servers.
destination of the email message is inside the message. filtering based on that can only be done if you are the SMTP server that sends it. not possible on RouterOS
We changed out our core router for MT. With our previous router, we had it setup so that it would drop Bots and Worms that were being sent out by infected client computers. So if emails were sent out from client machines that used any email servers other than ours they were dropped.
Some of our professional clients had other company email servers that they used for their business, in this case we would add the ip address of their email server to our list of “approved” Email servers and their email would go through as well.
I still need to get the setup because our upstream provider is whining about it. Any help on this would be appreciated, Thanks
Eric
RouterOS cannot do that.
You want to block any new connections from your localnet clients to other email servers than yours for outbound email? This should do:
/ip firewall filter
add chain=forward protocol=tcp port=25 connection-state=new dst-address=!xx.xx.xx.xx action=drop
Replace xx.xx.xx.xx with your email sever ip.
Thanks for the quick reply, how do I add the list of email servers that are ok to send to?
Make an address list enumerating all the servers and use the line Tim gave you with a slight modification to check the address list rather than the destination address directly:
/ip firewall address-list
add list=OK-smtp address=1.1.1.1
add list=OK-smtp address=2.2.2.2
/ip firewall filter
add chain=forward protocol=tcp port=25 connection-state=new dst-address=!OK-smtp action=drop
Completely missed that you weren’t trying to block content, just destination.
Then use these instead:
/ip firewall filter
add chain=forward protocol=tcp port=25 connection-state=new dst-address-list=email action=accept
add chain=forward protocol=tcp port=25 connection-state=new action=drop
Then put the good server ips (including yours) in
/ip firewall address-list
add address=xx.xx.xx.xx list=email
EDIT: I added “connection-state=new” to each above.
I see fewi already answered. His is the same with one less entry.
Got my list created and all looks good there, however when I type in the last line I get the following:
[admin@www.mikrotikrouter.com] /ip firewall filter> add chain=forward protocol=t
cp port=25 connection-state=new dst-address=!OK-smtp action=drop
value of range must have ip address before ‘-’
[admin@www.mikrotikrouter.com] /ip firewall filter>
That should have been “dst-address-list=!OK-smtp”, not “dst-address”. That is why I use my way. I can see easier what is being accepted and what is being dropped. I have not tried “dst-address-list=!address-list”.