Block SMTP Email: Security Guide

TL;DR

This guide shows you how to block outgoing email (SMTP) at your workplace for security reasons, covering firewall rules, Exchange server settings, and monitoring. It’s aimed at preventing data leaks and malware spread.

1. Understand the Risks & Plan

Blocking all SMTP can disrupt legitimate business processes. Before you start:

• Identify essential email services: Which applications *need* to send emails? (e.g., alerts, reports).
• Create a whitelist: List the IP addresses or domains that should be allowed to bypass the block.
• Communicate with users: Let people know about the changes and how it might affect them.

2. Block SMTP on Your Firewall

Your firewall is the first line of defence. Here’s how to block outgoing SMTP traffic (port 25, 465, 587):

1. Log in to your firewall’s administration interface.
2. Create a new rule: The specifics depend on your firewall brand (e.g., Cisco, Fortinet, Palo Alto). Look for sections like ‘Firewall Policies’, ‘Outbound Rules’, or similar.
3. Rule Configuration:
   • Action: Block/Deny
   • Protocol: TCP
   • Source IP Address(es): Your internal network range (e.g., 192.168.1.0/24)
   • Destination Port(s): 25, 465, 587
   • Destination IP Address(es): Any (or specific external mail servers if known). Blocking ‘Any’ is the most comprehensive approach initially.
4. Enable the rule: Make sure it’s active!

Example Cisco ASA configuration:

access-list outside_in extended deny tcp any any eq smtp

3. Configure Exchange Server (If Applicable)

If you use Microsoft Exchange, you can block relaying to prevent unauthorized email sending.

1. Open the Exchange Admin Center (EAC).
2. Navigate to Mail flow > Receive connectors.
3. Edit each receive connector: Double-click on a connector.
4. Under ‘Scoped access’, configure restrictions:
   • IP address ranges: Add your internal network range and any trusted IPs to the allowed list.
   • Authentication: Require authentication for all incoming connections.
5. Save changes. Repeat for all receive connectors.

You can also use Transport Rules to block specific email content or senders.

4. Block SMTP via Group Policy (Windows Domain)

If you have a Windows domain, you can use Group Policy to prevent applications from using SMTP directly.

1. Open Group Policy Management Console (GPMC).
2. Create or edit a GPO linked to your relevant OU.
3. Navigate to: Computer Configuration > Administrative Templates > System > CurrentControlSet > Services > SMTP Virtual Delivery.
4. Disable the ‘Start’ service setting: This prevents the local SMTP virtual delivery service from running.
5. Apply the GPO and force a group policy update on client machines:

   gpupdate /force

5. Monitor Email Traffic

After implementing blocks, monitor your logs to ensure legitimate traffic isn’t being blocked and that unauthorized attempts are detected.

• Firewall Logs: Check for denied SMTP connections.
• Exchange Server Logs: Look for relaying attempts or failed authentication.
• Security Information and Event Management (SIEM) System: Integrate logs into a SIEM for centralized monitoring and alerting.

6. Regularly Review & Update

The threat landscape changes constantly. Review your blocks and whitelists regularly:

• New Applications: Add any new applications that require email access to the whitelist.
• IP Address Changes: Update IP addresses if mail server infrastructure changes.
• Security Updates: Ensure your firewall and Exchange Server are up-to-date with the latest security patches.