Skip to main content

What are recommendations for unblocking outbound SMTP traffic in an organization? [Resolved]

Our organization has blocked all outbound SMTP traffic under the assumption that we are preventing potential botnet spamming issues which lead to blacklisted IPs. However, I've seen other organizations which have been set up to allow this and am curious what recommendations are for being the most secure and protected in regards to SMTP traffic.

An initial thought is that perhaps just unblock 465 and 587 so that only the secure channels are allowed (I don't believe you need 25 open for the secure SMTP ports to be used). But thinking further, perhaps find a list of common SMTP servers of large ISPs that would be more-or-less considered safer than (say)

Any recommendations on this?

Question Credit: bjb
Question Reference
Asked March 25, 2019
Tags: smtp
Posted Under: Security
2 Answers

In a medium to large organization, you should have an internal mail server. In that case, the mail related protocols (SMTP, IMAP, POP and their SSL variants) should be blocked for all the internal machines except the mail server which should have unlimited input and output on the SMTP ports (normal and SSL).

In smaller organization that have no internal mail server, one external mail server should be chosen (normally the ISP one)and internal machines should be only allowed to connect to those servers through the mail related protocols. And in that case it would make sense to block port 25 and only allow 587 for client mail submission.

That way, even if a client was compromised it could not be used as an open mail relay.

Your mileage may vary: you could have first solution except for a dedicated department which could have special needs...

credit: Serge Ballesta
Answered March 25, 2019
Your Answer