I configured our mail server to only accept mail from our internal work IP address and from authorised users.
So if one of your office PCs catches an e-flu, it will have no trouble using your mailserver to spread spam.
The way I see it, the only way is to make SMTP authentication mandatory _everywhere_ (except perhaps on your desktop localhost, which should accept mail from you, but should be required to authenticate when pushing your outgoing mail to your upstream mailserver).
So that if one of your office PCs gets compromised the SMTP authentication is also compromised, and therefore you have the same problem. This is assuming you don't require that someone type their password everytime they send a message--that'd be ridiculous.
Yes, I imagine there is malware out there which can read smtp credentials from an infected host, but majority can't, and will just try sending out without authentication. If nothing else, resulting amount of spam is decreased severely.
OTOH, if smtp auth became mandatory, or at least widely used, malware would just adapt, and its ability to sniff out credentials would improve. Arms race and all that. So scratch my idea.
> It stops our mail server from being used as an open relay though?
From outside of your network yes. If one of the computers inside your network is infected your mail-server will happily deliver the spam mails.
> How does blocking 1 specific port stop the issue anyway?
> They can just change the port they connect on?
I don't know of any SMTP-Server that accepts E-Mail on Ports other than 25. Port 587 requires authentification before sending an E-Mail.
I thought most poeple don't accept E-Mails sent from isp-networks with dynamic ip adresseses. Maybe that's not the case and they try to reduce spam this way.
> I was offering an opinion on how to resolve those issues.
> Changing which port accepts the mail is in my opinion pointless.
Nobody changed any ports. E-Mail is still send to port 25 from mail-servers. But if you are a not a mail-server (e.g. a client in a network) you have to use the submission port and authentificate against your isp/comapany mail-server.
you can still use port 25 on your isp mail gateway but now they can filter and rate-limit your emails.
> It's like saying that most burglars come in through the back door so the government blocks everyones back door, they will just come in the front.
not really. it is good practive to only act as mailserver if you are on a static ip and mx records point to your server. none of this is fullfilled by dynamic isp ip adresses. So this just stops the unwanted practice for good.
So if one of your office PCs catches an e-flu, it will have no trouble using your mailserver to spread spam.
The way I see it, the only way is to make SMTP authentication mandatory _everywhere_ (except perhaps on your desktop localhost, which should accept mail from you, but should be required to authenticate when pushing your outgoing mail to your upstream mailserver).