Blocking Outbound SMTP Traffic
OverviewBlocking SMTP traffic by using firewall rules can be a useful way to prevent unauthorized SMTP traffic which may or may not contain spam, viruses or sensitive data. If you are using an internal mail server, you can block any outbound SMTP connections from local area network (LAN) clients while still allowing SMTP traffic from your mail server. This options will only be available on InstaGate as the ThreatWall product line does not have firewall functionality.
Firewall ConfigurationThere are a many different email configurations that are possible with the InstaGate product line. This will cover the two most common configurations and can be used as a baseline for other configurations.
Internal Mail Server
In this configuration, you will want to block SMTP connections from all clients with the exception of the internal mail server. This will require two LAN firewall rules: one to accept (allow) connections from the internal mail server, and one to deny (block) all other connections. Make sure the Accept rule is located above the Deny rule in the list of firewall rules. All LAN clients should use the internal mail server as the outgoing server in their email client settings.
1) Accept Rule
Action Accept
Interface LAN
Source Match - Include
Source Address or Network - Network - Server IP Address - Subnet 255.255.255.255
Destination Match - Include
Destination Address or Network - Object - ANY
Services - Selected - SMTP
2) Deny Rule
Action Deny
Interface LAN
Source Match - Include
Source Address or Network - Object - ANY
Destination Match - Include
Destination Address or Network - Object - ANY
Services - Selected - SMTP
InstaGate Mail Server
In this configuration, you will want to block SMTP connections from all clients unless they are sending through the InstaGate. This requires one firewall policy which will block all SMTP traffic from any client with a destination that is not the LAN IP of the InstaGate.
1) Deny Rule
Action Deny
Interface LAN
Source Match - Include
Source Network or Address - Object - ANY
Destination Match - Exclude
Destination Network or Address - Object - LANIP
Services - Selected - SMTP
Gateway Anti-Virus ConfigurationGateway Anti-Virus has a setting that configures a proxy to intercept email traffic that will act before the firewall rules that you have added. This setting must be disabled for the firewall rules to work properly. This can be done by going to Gateway Anti-Virus > Settings > Advanced. Disable the Other SMTP Scanning and click Apply. Local (Relay/Server) SMTP Scanning should remain enabled as well as outgoing scanning.
TroubleshootingTo test the firewall rules you can send test messages with email clients, or use a telnet test from the LAN. Verify that connections are allowed to pass to acceptable destinations, such as the Internal Mail Server. Also verify that connections are blocked to inappropriate destinations, such as public SMTP servers.
The examples above are simply the most common configurations but may not fit your network environment. You can use these rules as a guideline, but may have to make some modifications or add additional policies for your network. Please read the Firewall Policy Training Guide for more details on firewall policies.
| 
