My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this?
- Change the terminal and enable passwords on your PIX firewall.
- Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
- Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
- Change the administrator password on the e-mail server.
- Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
- Turn off SMTP relay for outside addresses on your email server if possible.
- Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
- Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)
If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.
This was first published in November 2004