Rules to block Email?



  • Hi,
    I was wondering if someone could help me with these rules? Im currently running my Own email server Ip 10.10.1.216 I would want certain users only send and receive email internally and not externally. I created a group Email for the users I want to block. Not sure if I also have to create a WAN rule instead of the LAN?  :-X Or would the destination be Any or WAN net?

    Thank you



  • Well, assuming I am understanding your question…

    Would the following work for you ( change the port alias and ip alias to suit your network )?

    The way I did it was used the aliases for ports and client address with an inverted match on the destination MTA; which, I am thinking is internal. Your looking at trying to mitigate a compromised host from sending email right? I may have misunderstood. Also, I am new to here but wanted to try and help. ALSO, my understanding is that a "FLOATING" rule will match first on any chain / table. Maybe someone else can chime in. I do think that should work though; of course, rule order will matter.

    Hope it helps.

    EDIT : I am sucking at adding images. And yes, your seeing my lame internal domain.





    ![FLOATING_MAIL RULE_LOG_DROP.png](/public/imported_attachments/1/FLOATING_MAIL RULE_LOG_DROP.png)
    ![FLOATING_MAIL RULE_LOG_DROP.png_thumb](/public/imported_attachments/1/FLOATING_MAIL RULE_LOG_DROP.png_thumb)



  • Thank you for the reply and great screen pics :) really appreciate the help. So let me guess this if i Understood correctly.

    My internal email server is 10.10.1.216 and lets say I have users from 10.10.1.20-10.10.1.25 that WILL NOT receive or send email to the outside world ONLY can send internally.

    the ports have to be 25 which is smtp to send and the 110 the pop to receive. I never really understood the floating rule I only know that is a must when traffic shaping.

    But not sure if thats going to work :(

    Thank you again



  • Well, as I said, my understanding of the floating rule is that it matches first. However, to be direct you could put it on the LAN. As to the ports, you could add every conceivable port used for mail ( smtp, pop, 597,993, etc) and then inverse the match on the destination. This would just LOG / DROP anything going to those ports that was not your internal MTA. I was just thinking using a floating rule to keep it a bit easier to manage with just the one rule ( in a case where you had LAN, LAN1, OP1, etc). So, on the LAN side, it would be a port alias, ip alias, a rule with a inverse match on DESTINATION with a quick match and LOG / DROP.

    I honestly think that would get you to what your trying to do. I got to say that I dont do it here at the house; however, if the rule was towards the top of your table it would DROP ALL EXTERNAL MAIL RELAYS. Keep in mind you should think also set a rule which defines your MTA as a SOURCE so that it can actually send out to external MTAs.

    Funny, you would be suprised how many jobs I have been at that this bit in the butt when a windows workstation was compromised with a spammer bot that could have been stopped doing what your trying to do. Again, new to the forums, thinking this should work, but think some of the other folks on here may be able to point out a better solution.

    Hope it helps. I'll just watch from here on out. Curious if that is the best route to take.



  • Thanks for the reply,

    So i tried first only the Floating rule and nothing :( emails still can be spend to users outside

    Then i tried the LAN also wont work

    So let me get this correct

    my EMAIL alias are users that are going to get blocked ONLY to send and receive emails from the outside world

    my MAIL alias are the ports 110 and 25

    and last my 10.10.1.216 is the mail server any ideas

    Thank you





  • Netgate

    You don't need to mess around with floating rules for this. Go ahead and delete that.

    You cannot control access to same-subnet traffic using a Layer 3 firewall. If the mail clients on the EMAIL alias IP addresses are configured to use 10.10.1.216 as their mail server, then all you need to do is block all other outgoing connections to TCP/25 from those hosts on LAN:

    Action: Reject
    Interface: LAN
    Protocol: TCP
    Source: EMAIL
    Source port: *
    Destination: *
    Destination port: 25

    That is simplistic for port 25 only. Other common SMTP ports are TCP/465 and TCP/587. 587 is not supposed to accept submissions without user authentication.



  • Hi,
    Thank you for the reply, So on outlook on the user the email server is configured 10.10.1.216 using 25 smtp and 110 as pop.

    Deleted the floating,

    As you commented the rules i did try that and no luck the user still can send out emails outside and receive from outside

    Not sure what could be wrong :(

    Thank you



  • Netgate

    SMTP rules only need to be TCP.

    Are you sure they're not configured to use 465 or 587? Or maybe they try those ports if 25 is blocked?

    SMTP generally doesn't keep a connection alive but it might be worth clearing states jsut to see. Or at least examining the states filtered on the local host to see what's there. Rules only block new connections.



  • Hi,
    Thank you for the reply, Yes the email ports only use 25 only I will also add 465 and 587 just encase Tomorrow i will give it another go

    Thank you again keep you posted



  • @killmasta93:

    My internal email server is 10.10.1.216 and lets say I have users from 10.10.1.20-10.10.1.25 that WILL NOT receive or send email to the outside world ONLY can send internally.

    the ports have to be 25 which is smtp to send and the 110 the pop to receive. I never really understood the floating rule I only know that is a must when traffic shaping.

    But not sure if thats going to work :(

    Thank you again

    If your mail server and users are both on the same internal network as you seem to suggest, then a firewall rule will not help. Users will connect to the server directly before they even touch the firewall. If you want to prevent certain users from sending external email through the mail server but allow others, then you have to configure this on the mail server itself. If you want to prevent anyone internally from sending external emails entirely, then block your mail server (source) from sending TCP 25 traffic  from the LAN to the outside.



  • true good point i ended up making rules using this guide

    http://serverfault.com/questions/530406/postfix-block-local-user-from-sending

    Thanks again