0

I am having an Application that is running on Windows 10 and the server is hosted on AWS. So for this application we have to White-list ip's on SMTP port(25) for test mail . So the issue is till now we are doing the white-listing in the Security groups(firewall provided by AWS)and Now we have reached the Limit of "250 ip's" by attaching "5" security groups(Per Security group 50 ip's) and we cannot exceed the limit after that. So is there any other process were i can white-List ip's on SMTP port 25 for talking(test mail) to the Application.

Much Needed Help!!!

Thanks in Advance!!!!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Teja
  • 11
  • 4
  • This question needs clarifications. Are the Win10 box and the server separate? If not what is the server supposed to do? Who are the users that need to be whitelisted? Company employees? Random users? Does the whitelisting need to stick or is this just a temporary whitelisting? – Chris White Jul 13 '17 at 10:09
  • Hi @Chris White - No Windows 10 is the server ,we have 2 windows 10 boxes running on load balancer (ELB). The Users are our clients to access our application. They will send a test mail to the server. Hope you got it @chris!!! – Teja Jul 13 '17 at 14:59
  • The bigger question is how many clients are we talking about? Also from the sound of it this whitelisting is meant to be temporary? Is that correct? – Chris White Jul 13 '17 at 15:12
  • @ChrisWhite - At present we have 1500 clients may be more ongoing,So here each of them have their own ip and those ip's we need to white-list for Port 25 and limit is only 250. Some ip's will be permanent and some temporary, If the client is no longer there we will remove that ip from Security groups. – Teja Jul 14 '17 at 09:23

1 Answers1

0

Okay so based on the comment clarifications, I'm not sure that IP whitelisting is such a good idea. Theoretically you could skip using Security Groups and have PowerShell interact with Windows Firewall instead (EC2 Systems Manager Run Command can be utilized to automate this).

However, with the number of clients (1500 cited) and the potential for growth an IP whitelisting solution would at some point cause a noticeable hit on network performance (one good reason for security group limitations) as the firewall would be forced to check the packet against all conditions. Instead of this solution I'd be on the side of recommending you consider an authorization scheme based on tokens/headers/etc. This turns authentication into a more on-demand type situation and reduce the strain on network performance.

Chris White
  • 1,409
  • 8
  • 10
  • Firstly thanks for your reply ,So your are saying instead of using AWS security Groups you are asking me to use powershell? If yes could you please explain me the process more clearly?. – Teja Jul 14 '17 at 13:45
  • @Teja actually it's more of a recommendation to use some kind of authentication scheme instead of IP whitelisting. Given the amount of users, whitelisting IPs will at some point have a noticeable impact on your network performance. So when the user sends an email they get back authentication credentials to use for whatever restricted process they need access to. This way it goes from "check this packet's source IP against this list of whitelisted IPs" to "check to see if this user is authenticated" – Chris White Jul 14 '17 at 13:56
  • Ohh got it, But could you please explain me the process other than whitelisting them in security groups? In the end when that ip hits the box it should get the test mail success. Thank you!!! – Teja Jul 14 '17 at 14:13
  • Hello @Chris White - Did you get any chance to look on my previous comment?? Thank You!!!. – Teja Jul 17 '17 at 07:42