Community discussions

MikroTik App
 
hamster922
just joined
Topic Author
Posts: 8
Joined: Thu Jul 08, 2010 4:58 pm

How to allow smtp traffic on specific ips

Tue Feb 01, 2011 4:18 pm

Hi,

we have the problem that infected customers start over again to send spam. This happens about 1x per month. We have about 500 Customers in our Network.

We use this script to detect the infected users, and it works perfectly:

http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output

It is possible that we block all smtp traffic on our gateway nat routers, and only allow say 10 ips of known mail servers?

Any ideas?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How to allow smtp traffic on specific ips

Wed Feb 02, 2011 5:19 pm

Sure. You're not very clear on what direction traffic is going in, but just as an example the below will block all SMTP traffic to servers other than 192.168.1.10 and 172.16.0.20.
/ip firewall address-list
add list=Known-Good-SMTP address=192.168.1.10
add list=Known-Good-SMTP address=172.16.0.20
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 dst-address-list=!Known-Good-SMTP action=drop
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Re: How to allow smtp traffic on specific ips

Wed Feb 02, 2011 8:15 pm

As a general rule in an ISP environment, we block all outbound SMTP unless its destination is our mail servers. This forces users to employ SSL (465) or SMTP-AUTH (TCP 587). Without this rule a user will inevitably get a virus and land one of your IP addresses on an SMTP blacklist. If you NAT customers behind a single IP this could become extremely problematic.

Fewi's rule suggestion is exactly what you're looking for.

Most newer mail clients these days already try connecting on the more secure ports if port 25 fails to respond.
William Burnett
Network Engineer
 
hamster922
just joined
Topic Author
Posts: 8
Joined: Thu Jul 08, 2010 4:58 pm

Re: How to allow smtp traffic on specific ips

Wed Feb 02, 2011 11:05 pm

If you NAT customers behind a single IP this could become extremely problematic.
Thats the problem, from time to time we land on the blacklist with one of our 6 ips from the nat routers...

The script detect the bad host, but it's too late, than we are on the blacklist.

We have no incomming smtp traffic behind the nat routers, there are only private customers. So we can use the code from fewi :-)

In future we will block port 25 outgoing and use ssl. But set ssl smtp port on all customer pcs is too much work at time...

Thanks all :D

Who is online

Users browsing this forum: akotlyar, xvo and 103 guests