My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this?
If you're allowing e-mail traffic through your firewall, you've likely got a "hole" in it - TCP port 25 for the e-mail protocol SMTP. Unfortunately, this is a necessary evil. There's likely something else going on, so here are a few things to consider doing:
- Change the terminal and enable passwords on your PIX firewall.
- Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
- Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
- Change the administrator password on the e-mail server.
- Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
- Turn off SMTP relay for outside addresses on your email server if possible.
- Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
- Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)
If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.