Educause Security Discussion mailing list archives
Re: Outbound SMTP
From: Tim Cantin <tcantin () WELLESLEY EDU>
Date: Fri, 25 Apr 2008 09:31:08 -0400
Matt, I would strongly suggest implementing that rule at your perimeter firewall! We block all smtp traffic except to/from known hosts. So we allow our own central mail servers of course, a handful of trusted local entities (i.e. CS's mail server and several others), and just a few outside sites for convenience on request (i.e. Comcast.net). We never asked permission, we just did it. A handful of knowledgeable people squawked, and we opened access for their particular needs. Since then we haven't received a single complaint from the outside about spam originating from our site. In addition, since that rule went into effect we have also implemented Cisco Clean Access for every desktop on campus (students, faculty, and staff alike). We enforce Windows updates and anti-virus installed & updated. Yeh it was a little expensive, but it literally eliminated viruses on user desktops, a condition which was causing vast hours and hours of work from our Helpdesk to assist users in cleaning up their computers. It was a fantastic return on investment, though now our users have to try a little harder to stay on the network - which not all of them are thrilled about. IMHO they should've been doing this right along, of course. If you can't afford a full implementation, consider phasing it in over time. We put our residence halls on it one summer, and then the rest of the campus the next summer thereby splitting the cost across two fiscal years. Good luck! -Tim --- Tim Cantin, Senior Network Engineer Wellesley College, IS/Technology Infrastructure Group 223 Simpson Hall East, 106 Central Street Wellesley, Massachusetts 02481-8203 http://www.wellesley.edu/~tcantin/ <BLOCKED::http://www.wellesley.edu/~tcantin/> phone: (781)283-3520 fax: (781)283-3682 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Friday, April 25, 2008 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Outbound SMTP I am curious how many other schools block outbound SMTP, and if so from which or all networks? We currently still allow it; however, I see very few legit connections. Usually once a week I find another student who has become malware infected, and have to shut them off until they can prove their computer is clean (unfortunately we don't have a true NAC as budget does not allow). The biggest problem is wireless users. I can block MAC addresses, however this ends up taking a lot of time from start to finish (by the time I login to WCS, push the policy to all the controllers, document it, notify our helpdesk team for the incoming phone call they will get, then all those steps in reverse when the computer is cleaned). I have been considering approaching management to just block all port 25 traffic. My holdback is that I feel bad for anyone that has their own domain somewhere and sends mail through it. We do not allow students to relay SMTP mail through our mail servers. Thoughts? Thanks for your input, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at <http://www.fairmontstate.edu/> www.fairmontstate.edu
Current thread:
- Outbound SMTP Jenkins, Matthew (Apr 25)
- <Possible follow-ups>
- Re: Outbound SMTP Di Fabio, Andrea (Apr 25)
- Re: Outbound SMTP Babb, Robert (Apr 25)
- Re: Outbound SMTP Dan Oachs (Apr 25)
- Re: Outbound SMTP Morrow Long (Apr 25)
- Re: Outbound SMTP Tim Cantin (Apr 25)
- Re: Outbound SMTP Kenneth Arnold (Apr 25)
- Re: Outbound SMTP Halliday,Paul (Apr 25)
- Re: Outbound SMTP Gary Flynn (Apr 25)
- Re: Outbound SMTP Childs, Aaron (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Barros, Jacob (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
(Thread continues...)