Meraki Community

Thank you for your prompt reply!

The objective is to allow our SMTP Sender (only, it doesn't have an inbound component) to be able to send to emails systems worldwide. Although we are a US based company, many of our customers use email systems in Europe and Asia, which we have blocked due to bad actors attempting to break into our systems.

Why do you say we shouldn't do this?

Thanks,

Phil

That’s what I thought you said.  That is not how email works though..  

First, no one uses port 25 plaintext SMTP for email anymore and many ISP’s block it.  Do you really need to connect to other mail servers around the world in plaintext port 25?  I would never do that for any reason.

Do you or someone on your team run your own local mail server?  Are you having a particular issue sending email?

Thanks BrandonS.  After thinking about this a bit, I'm not even sure which ports we are actually using to send our outbound email.  Our SMTP sender is Microsoft IIS SMTP Virtual Service and it could very well be using other ports.

Phil

And the issue we have is we can only send emails to North American systems.  Just about everywhere else in the world is blocked.

I see.  Do you get some kind of bounce message via email or how do you know it is blocked?  So your email server is local in your office/data center/shop? Maybe your public IP is on block lists or you DMARC and SPF is not setup correctly?

You mentioned blocking the world due to attacks.  What are you actually referring to there?  Did you enable geographical IP blocking firewall rules and that causes the issue you are having?

Brandon,

Yes, we get NDRs from our SMTP sender.

Some examples:

qq.com (China), gmail.ru, gmx.com (Germany), mein-florida-ferienhaus.de. 

Our SPF records is setup correctly, else we couldn't send to Gmail, Yahoo, Office 365 mailboxes.

We have country (Layer 7) and specific IP (Layer 3)  address blocks in place.  Typically when we see something that looks suspicious incoming we block it.

Thanks,

Phil

I'd try creating a Group Policy and attach it to your Mail Server. With this Group Policy you could override the outbound firewall rules so that that particular server can communicate with all countries, rather than being blocked.

(In fact if you read the last paragraph of this, https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal... you may find that if you specify the outbound ports that your mail server uses as a Layer 3 outbound rule as an 'allow' then it may work with your country blocks; that's assuming the Group Policy is processed the way it states, i.e. like a MR).

I'm going to try allowing 587 and 2525 permitted above the Deny list.

Thanks for the heads up!

Phil

It won’t work if you do it directly on the MX firewall page, but may work if you use a Group Policy. Not something I’ve tried to do before, so will be trial and error. Would be interested to hear the outcome.

Thank you for your prompt reply.

Phil