Block Port 25 with Exchange Server on Network

Started by amd.64, August 21, 2024, 07:21:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 21, 2024, 07:21:55 AM
I have an Exchange server (Ex 2019 on Server 2022) running behind OPNSense version 24.7.1. I have been black list due to a non-mail server system being infected with malware using port 25. Infection has been removed. SpamHaus has unblack listed my public IP. However, I still received an error when trying to send an email to a trusted email server.

So, to hopefully fix this error and prevent it in the future, I want to block all outbound traffic on port 25 from all devices on the network (including guest network) with the lone exception being the Exchange Server? What is the best way to do this. I am asking here so that I not only get it right but get it right the first time.

Details are:
I have a 5 public IP block
WAN port is configured with X.X.X.105
I have added a virtual IP of X.X.X.106
Public DNS points to and required ports for Exchange (443) come in on X.X.X.106. There is currently no rule (allow or block – in or out for port 25)

Main Network X.X.107.0/24
Mail Server X.X.107.10
Guest Network X.X.214.0/24

I believe that the rules should look as follows on the WAN port

Two rules

1st rule to allow Exchange to send data out on port 25
Code Select
Allow
Direction - Out
Protocol - TCP
Source - X.X.107.10 /24
Port - 25 or should it be any
Destination * (any)
Port 25

2nd rule to block everything else trying to use port 25
Code Select
Block
Direction - Out
Protocol - TCP
Source – * (any)
Port - 25 or should it be * (any)
Destination *  (any)
Port 25

Rule 1 comes before Rule 2 of course

Please let me know if I am correct, if not please let me know what would be correct.

Thank You
August 21, 2024, 08:38:38 AM #1
Single rule on local interfaces (not WAN).

August 22, 2024, 06:01:19 AM #2
If I create the rule you suggest it will rejected port 25 inbound form the mail server. Correct?

The issue as reported by SpamHaus is NOT my mail server, it was my notebook, which also had the infection.

The only device I want to allow to use port 25 is the email server (in or out), all others will be blocked.
August 22, 2024, 07:12:22 AM #3
Quote from: amd.64 on August 22, 2024, 06:01:19 AM
If I create the rule you suggest it will rejected port 25 inbound form the mail server. Correct?

No, it will not. Note the "Invert" checkbox.
August 23, 2024, 04:02:30 AM #4
I have attached images of both the firewall rule and alias that I created. Again I want to make sure this is done right. If you don't mind please verify everything is correct.

I want to make sure this issue is resolved so I don't have to worry or deal with it again in the future.
August 23, 2024, 04:31:45 AM #5
Looks good. You can test easily with telnet from any box on the interface,

Code Select
telnet smtp.google.com 25

Should get blocked and logged on firewall.
August 23, 2024, 04:43:08 AM #6
Yep works. No connection from my notebook, connection from mail server.

THANK YOU
August 23, 2024, 08:44:30 AM #7
Thanks for bringing this up. I implemented this on my opnsense right away. Better safe than sorry.
Deciso DEC850v2
Print
Go Up Pages1
User actions