- Change the terminal and enable passwords on your PIX firewall.
- Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
- Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
- Change the administrator password on the e-mail server.
- Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
- Turn off SMTP relay for outside addresses on your email server if possible.
- Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
- Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)
If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.
This was first published in November 2004