Skip to main content
Danny
Danny
New Member
September 6, 2016
Question

How can I create a SMTP allowed policy?

  • September 6, 2016
  • 1 reply
  • 8148 views

I’m running an FG 50B I know quite old but I’m still very happy with. However I’ve found a strange problem with a policy I have created recently.

 

I’m trying to create an allowed policy to control my SMTP traffic, which means just allow SMTP from certain networks/ips or countries.

 

I have created the addresses I want to allow under firewall objects I have created a group containing the addresses mentioned above.

 

My policy allows SMTP services from the source interface zone (wan1) to the destination addresses (wan2) only when the source address matches the allowed list. The action is then set to “accept” There is no other rule regarding SMTP

 

However this seems not to work because no matter where I place this policy the SMTP traffic from networks which are not on the list is still getting through. Did I missed something? From my understanding all non-allowed SMTP traffic should be dropped. A deny policy would work without any problems but it would be much easier to have an allowed policy instead.

 

I really appreciate any replies

 

 

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 6, 2016

    hi,

    could you please clarify: this is for traffic from your LAN to WAN/ISP, or something else?

    The culprit most likely will not be the ACCEPT policy but some other policy allowing a broader range of services. We should have a look at the policy table.

    Danny
    DannyAuthor
    New Member
    September 6, 2016

    Hi Ede,

    Thank you very much for your reply. I'm trying to control the inbound access coming in from the WAN or ISP if you want. The other services which are allowed are HTTP, HTTPS, DNS, FTP, POP and IMAP in separate rules.

    Furthermore I'm allowing RDP from two restricted zones which works perfect btw.

    In the top of the list are the policies blocking either everything or SMTP (depending on what had happen) containing hundreds of IP s in their address groups. They are working perfectly. My consideration was to use a kind of an allow policy instead of denying hundreds addresses to make my live a little easier. But it seems not to work when I'm using a group instead of single ranges or addresses. 

    The mentioned policy looks like this and is placed almost directly under the block all bad guys policy:

    Source Interface/Zone     wan1 Source Address     SMTP Allowed List < containing the IP addresses or even countries Destination Interface/Zone     wan2(DMZ) Destination Address          2xx.xxx.xxx.x1 < DMZ addresses     2xx.xxx.xxx.x2     2xx.xxx.xxx.x5 Schedule     always Service SMTP smtps SSL MAIL (995 993) Action     ACCEPT

     

    Please let me k now how I could support you finding a solution

     

    Thank you very much

     

    Danny

    Ps, sorry for my bad English ;-@

     

     

    Terms & ConditionsAccessibility statement