WatchGuard Support Center

Knowledge Base - Article

 Protect Your External IP Address from SMTP Blacklisting


How do I protect my external IP address from SMTP blacklisting?

Prevent SMTP Relay

Email relaying, also called mail spamming or open mail relay, is an intrusion in which a person uses your email server, IP address, and other resources, to send large amounts of spam email. This can cause system crashes, equipment damage, and financial loss.

If you are not familiar with mail relaying, or are unsure whether your email server is vulnerable to mail relaying, we recommend you research your email server to learn of any potential vulnerabilities. Your Firebox can provide basic mail relay protection, however, WatchGuard recommends that you also find out how to use your email server to prevent email relaying.

For more information, see Protect Your SMTP Server From Email Relaying in Fireware Help.

When your external IP address is used to send or relay spam, it can be added to public spam blacklists, such as the Spamhaus Block List.

To protect your external IP address, you must make sure that only your designated SMTP servers are able to send email from your network, and that your SMTP server cannot be used as an open relay. 

Block Unintended Outbound Email

If a computer within your network becomes infected with some forms of malware, it can be used to send spam. To prevent infected computers from sending spam, you can configure your designated SMTP servers to only allow outbound traffic over TCP port 25.

To restrict the SMTP traffic through your Firebox, you must create two outbound SMTP packet filter policies. The first policy allows SMTP traffic outbound from the SMTP servers. The second policy blocks SMTP traffic outbound from all hosts in your network.

If you use auto-order mode for policies on your Firebox, the more specific policy to allow traffic always appears first in the policy list, and allows only the desired outbound SMTP traffic. 

Here's an example of the settings for the two policies:

Screen shot of the two policies

When you configure the SMTP-Deny policy and specify that connections through this policy are denied, the policy is automatically configured to send a log message for all traffic that is denied by the policy.  You can review these log messages to see which users attempt to send email that is not allowed by the SMTP-Deny policy.

If your Firebox is configured with more than one external IP address, you can use the SMTP- Allow policy to control the IP address that is used for dynamic NAT when the traffic leaves your network. This will make certain that the source IP address of your email matches your public MX record. 

For more information, see Configure Policy-Based Dynamic NAT in Fireware Help.

To learn more about how your MX Record impacts outbound email, see About MX (Mail eXchange) Records in the Fireware Help