Block port 25 or SMTP port for non replay LAN IPs

Question

we configured Sophos XG in MTA mode. We need to restrict access to Port 25 for SMTP traffic to specific terminals only. Currently Port 25 is accessible from all LAN networks

apijnappels · Answer

Then you can make a rule to allow SMTP traffic for the specific clients that are allowed in the source addresses followed by a rule to block all SMTP traffic. Then only the allowed clients can use SMTP and all others are blocked. If it's internal clients you would like to block, you can also use reject instead of drop, so the client gets a message back that traffic is not allowed. From WAN drop is the better choice.

LuCar Toni · Answer

Do a Blackhole NAT rule. See: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesBlackHoleDNATRuleCreate/index.html 
 Adapt it to your needs. If you want to restrict it from LAN, then check The Port of LAN instead.

Block port 25 or SMTP port for non replay LAN IPs

Top Replies