Firewall rules to block outgoing SMTP

ivimail · November 19, 2014, 11:50am

Hi, I’ve reading about some rules to block outgoing smtp traffic to avoid to be in spam lists like spamhaus. The idea is block all outgoing smtp traffic except just from allowed servers.
I have 2 computers that have permission to send mail and smtp service needs to be reached from lan and wan.
Now I have a rule like this:

/ip firewall address-list
add list=Known-Good-SMTP address=192.168.1.10
add list=Known-Good-SMTP address=172.16.0.20
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 dst-address-list=!Known-Good-SMTP action=drop

but I’m not sure what traffic is blocking. also I have a nat rule to allow incoming smtp traffic to one of this servers, that is working ok

magchiel · November 21, 2014, 3:44pm

This rule blocks traffic TO the known servers, not prevent spammers within your network. I would reverse the rule using src-address-list and add an ACCEPT rule before the drop to allow traffic to your server to allow access to these servers.

add chain=forward protocol=tcp dst-port=25,587 dst-address-list=Known-Good-SMTP action=accept 
add chain=forward protocol=tcp dst-port=25,587 src-address-list=!Known-Good-SMTP action=drop

If you want to check use telnet from any another host not in the address list to login a known SMTP server outside your network using (e.g. your ISP’s):

telnet smtp.example.org 25

If you get reply connect things are not blocked as they should

Cheers.

EDIT: added accept rule

hgonzale · November 21, 2014, 6:10pm

I would do…

add chain=forward protocol=tcp dst-port=25,587 dst-address-list=Known-Good-SMTP action=accept
add chain=forward protocol=tcp dst-port=25,587 dst-address=0/0 action=drop