5

I work at a small ISP, we manage about 60 buildings with p2p radios and a main cisco router at a central location. Recently we were notified that a phishing domain is associated with one of our IPs. When tracing the IP, the tracert hops along 20-60 client machines before hitting the trace target.

If I block SMTP traffic(port 25) at the router, will people using outlook not be able to send emails? Or would this only stop the type of traffic I'm trying to stop(spambots hosted on our network)?

demiAdmin
  • 155
  • 1
  • 9
  • 7
    Sidenote: Your clients' sysadmins will *really* appreciate if you have a single page on your website that lists exactly what traffic you do and do not allow on your network (eg, we allow all traffic except to/from RFC1918 address, and Port 25 is blocked, etc); and if there's a way to opt-out of the restrictions. Also, a big +1 for caring about spam! – Chris S Oct 16 '14 at 14:48
  • 3
    +1 to Chris S for that - Actually publishing what traffic you disallow would put you head and shoulders above any of the major ISPs in my locality, in terms of transparency. I'd certainly appreciate that. – Evan Anderson Oct 16 '14 at 14:55
  • One caveat to be careful of: warning/failure e-mails that many linux-based systems generate - unless these are routed to some sort of internal system that will re-route them via a different port, you probably don't want to block them, and you certainly don't want to debug which system was the one that crashed but wasn't able to send a message when you do have something down. – user2813274 Oct 16 '14 at 17:09

2 Answers2

10

Blocking outbound connections to destination TCP port 25 is something that a lot of ISPs do today. While I don't particularly like it, it's a pretty typical thing that gets done.

So long as you publish to your users that you're making this change, and perhaps take some packet captures to pre-emptively see who might be effected by the change, I think it's reasonable. I'd give users who have a legitimate need a way to opt-out, as well.

Outlook shouldn't be your concern. Rather, you should be thinking about SMTP flow in general.

In the "old days" individual users often ran an email client configured to send email to a remote server on TCP port 25. Increasingly, with ISPs blocking outbound TCP port 25, many corporate email servers have moved to using TCP port 587 (the SMTP "submission" port). Arguably, using port 587 is the right configuration anyway, but you may have some Customers who are using servers that have lagged behind current trends.

Outlook, when deployed for corporate users, typically doesn't use SMTP / IMAP / POP, etc. Rather, you'll see Outlook talking to an Exchange Server computer over HTTPS (which is used to encapsulate Microsoft's proprietary RPC, MAPI, and ActiveSync protocols) or a VPN. Likewise, most mobile phone clients that are talking to a Microsoft Exchange Server computer will also be using HTTPS encapsulating the ActiveSync protocol.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • 2
    +1 Second paragraph is the most important... maybe should have been first. – Chris S Oct 16 '14 at 14:42
  • That sounds good. I'll do some captures at the router first to see who would be affected. I have a feeling it may be an overwhelming number of clients... So I would email these customers and inform them that their company email servers are using a very outdated configuration? Or could I just send customers steps to configure their client to use port 587? – demiAdmin Oct 16 '14 at 14:48
  • 2
    @Derp - I'd go the route of diplomatically suggesting to the Customers that they need to change their email client configuration, but I don't think I'd suggest that anything is "outdated". I'd definitely word it such that the Customer knows to contact their IT support if they're using a corporate-owned device that they may not have rights to make changes to. – Evan Anderson Oct 16 '14 at 14:51
  • 1
    Very helpful Evan thank you. I'm slowly learning that part of being a good sysadmin is being a practiced humanitarian ;) – demiAdmin Oct 16 '14 at 14:58
3

While most users should use ports 465 or 587 to drop mails with their providers, you can't be sure of this and there might be many users still use port 25 (e.g. with STARTTLS or even unencrypted).

Sven
  • 98,649
  • 14
  • 180
  • 226