Howto create a firewall rule so that only my mail server is able to send out mail.

gotkimchi · 06-25-2010, 12:13 PM

Lately, we are getting more and more of this request. People want to only allow their mail server to send out mail and block everyone else.

If you want to log this, I recommend using the firewall rules.
Few things to consider...

1) By default, the Untangle has the "no rack" policy for port 25 outbound. You will need to uncheck or delete this rule. I suggest unchecking it. Just in case you want to reuse it.
(no longer needed on version 7.3 & up.)

2) You will need to change the quarantinable addresses under, config, email, quarantine. The default is *, change it to *@yourdomain.com or individually list all your users email addresses.

3) Now the firewall rules. The firewall rules work from top to bottom.
Your top rule needs to be the pass rule. Should be something like this:

Create the block rule like this:

Please remember to put the pass rule on top of the block rule. Noticed that I did not check mark the log box on the pass rule. Its up to you. The block rule, the log box is checked because most people want to know.
You can test to see if the rules are working or not by telnetting from the mail server and other users on the network. The mail server should be able to telnet out on port 25, and everyone should get blocked.

eolson1001 · 06-25-2010, 12:26 PM

Great post gotkimchi. These forums are a GREAT resource to us untangle users and have amazing support from the untangle developers and administrators. Thank you.

ronsolve · 07-26-2010, 04:27 AM

Hi,
I implemented the above and it works. I did not uncheck the NORACK rule for port 25 as I can't find it. Where is it located.
Also - I assume step 2 is meant so that if a workstation does start sending spam - that Untangle doesn't create a quarantine for it. Is that correct? It may be a bit of work for this as my server accepts mail for 20 domain names and 1000 mailboxes. I guess its easier to enter the domain names.

Please advise.

Thanks,

Ron

WebFooL · 07-26-2010, 04:52 AM

Hi Ron,

If your installation is on a 7.3 or 7.4 iso there is no "no rack" rule.
If there is one it is located under the "Default rack"->"Show Policy Manager" on the main screen (next to the "Parent Rack: None").

Mathiau · 07-26-2010, 01:48 PM

SMTP port 25 traffic should only be TCP shouldn't it, don't need UDP...

sky-knight · 07-26-2010, 02:20 PM

Yeah SMTP is a TCP protocol. Also, until Untangle gets rid of the outbound no rack policy for SMTP. All you need is the firewall block rule. Block, destination port 25, protocol TCP, source interface internal. Then edit the no rack policy to have a client IP address of your internal SMTP server.

The firewall simply isn't consulted for the outgoing traffic because the traffic never sees the rack... you could do the same with a bypass rule. You're generally not wanting to filter outgoing traffic anyway so you may as well free your Untangle of the load of passing outbound SMTP through the UVM at all.

zay · 08-03-2010, 12:57 PM

This maybe a bit off topic, but seems like emails with large attachments are blocked from coming in. I looked thru the forums, but did not really find any sound solution.

Big D · 08-03-2010, 01:18 PM

UT has no attachment limit. In fact the larger the attachment the more likely it is that UT will not even try to verify the message as spam with spamassassin.

Larger attachments take more time for the virus blocker to scan. I have sent a 30-40 MB attachments through an UT router it will perform this.

You are more likely to run into a connection inactivity timeout issue on the receiving server or more likely the message exceeds the set size limits type of error.

Yes a little off topic.

dwasserman · 08-03-2010, 01:29 PM

The risk of post hijacking here, without creating self thread, is readingless, or less responses.

vincentNTTC · 09-23-2010, 02:05 AM

Greate post. I have 3 ADSL lines and i want to use one just for POP and SMTP. Could you help

06-25-2010, 12:13 PM	#1 (permalink)
gotkimchi Administrator Join Date: Jan 2007 Location: Bay Area Posts: 2,075	Howto create a firewall rule so that only my mail server is able to send out mail. Lately, we are getting more and more of this request. People want to only allow their mail server to send out mail and block everyone else. If you want to log this, I recommend using the firewall rules. Few things to consider... 1) By default, the Untangle has the "no rack" policy for port 25 outbound. You will need to uncheck or delete this rule. I suggest unchecking it. Just in case you want to reuse it. (no longer needed on version 7.3 & up.) 2) You will need to change the quarantinable addresses under, config, email, quarantine. The default is , change it to @yourdomain.com or individually list all your users email addresses. 3) Now the firewall rules. The firewall rules work from top to bottom. Your top rule needs to be the pass rule. Should be something like this: Create the block rule like this: Please remember to put the pass rule on top of the block rule. Noticed that I did not check mark the log box on the pass rule. Its up to you. The block rule, the log box is checked because most people want to know. You can test to see if the rules are working or not by telnetting from the mail server and other users on the network. The mail server should be able to telnet out on port 25, and everyone should get blocked. __________________ to be understood, you must first understand. Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

07-26-2010, 04:52 AM	#4 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,877	Hi Ron, If your installation is on a 7.3 or 7.4 iso there is no "no rack" rule. If there is one it is located under the "Default rack"->"Show Policy Manager" on the main screen (next to the "Parent Rack: None"). __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

07-26-2010, 01:48 PM	#5 (permalink)
Mathiau Join Date: Feb 2008 Location: Costa Frickn' Rica Posts: 1,467	SMTP port 25 traffic should only be TCP shouldn't it, don't need UDP... __________________ Def1:Started:UT 7.1 x64 -- Current :UT 9.1 x64\| Gigabyte GM-G31 mATX \| Intel Q8200 \| 8G DDR2 800 \| 80G WD \| 4x Intel Pro 1000 GT NIC's \| Corsair 550W PSU \| Norco RPC-250 2U Case \| 50mb/50mb \| 10 users

07-26-2010, 02:20 PM	#6 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	Yeah SMTP is a TCP protocol. Also, until Untangle gets rid of the outbound no rack policy for SMTP. All you need is the firewall block rule. Block, destination port 25, protocol TCP, source interface internal. Then edit the no rack policy to have a client IP address of your internal SMTP server. The firewall simply isn't consulted for the outgoing traffic because the traffic never sees the rack... you could do the same with a bypass rule. You're generally not wanting to filter outgoing traffic anyway so you may as well free your Untangle of the load of passing outbound SMTP through the UVM at all. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

08-03-2010, 12:57 PM	#7 (permalink)
zay Master Untangler Join Date: Aug 2008 Posts: 103	This maybe a bit off topic, but seems like emails with large attachments are blocked from coming in. I looked thru the forums, but did not really find any sound solution. __________________ What does it profit you to gain the world and lose your soul?

Protect

Filter

Perform

Connect

Manage

Add-Ons

06-25-2010, 12:26 PM	#2 (permalink)
eolson1001 Untangler Join Date: Apr 2009 Posts: 86	Great post gotkimchi. These forums are a GREAT resource to us untangle users and have amazing support from the untangle developers and administrators. Thank you.

07-26-2010, 04:27 AM	#3 (permalink)
ronsolve Newbie Join Date: Jun 2009 Posts: 11	Hi, I implemented the above and it works. I did not uncheck the NORACK rule for port 25 as I can't find it. Where is it located. Also - I assume step 2 is meant so that if a workstation does start sending spam - that Untangle doesn't create a quarantine for it. Is that correct? It may be a bit of work for this as my server accepts mail for 20 domain names and 1000 mailboxes. I guess its easier to enter the domain names. Please advise. Thanks, Ron

08-03-2010, 01:18 PM	#8 (permalink)
Big D Master Untangler Join Date: Nov 2008 Posts: 691	UT has no attachment limit. In fact the larger the attachment the more likely it is that UT will not even try to verify the message as spam with spamassassin. Larger attachments take more time for the virus blocker to scan. I have sent a 30-40 MB attachments through an UT router it will perform this. You are more likely to run into a connection inactivity timeout issue on the receiving server or more likely the message exceeds the set size limits type of error. Yes a little off topic. __________________ The beatings shall continue until morale improves!

08-03-2010, 01:29 PM	#9 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,634	The risk of post hijacking here, without creating self thread, is readingless, or less responses. __________________ The world is divided into 10 kinds of people, who know binary and those not

09-23-2010, 02:05 AM	#10 (permalink)
vincentNTTC Newbie Join Date: Sep 2010 Posts: 1	Greate post. I have 3 ADSL lines and i want to use one just for POP and SMTP. Could you help