Monitoring Inbound SMTP

SOLVED
threeonesix
Here to help

Monitoring Inbound SMTP

I recently started employing the Barracuda Cloud Protection Layer to filter inbound email. I've waited now 7 days since changing our public MX records. Mail is flowing fine, there's no problem with that. Today I changed our MX100 firewall NAT rule such that SMTP port 25/587 traffic is now only being accepted from Barracuda's IP ranges. Mail is still flowing fine. What I would like to do now, however, is monitor inbound port 25 traffic, to see if any legit mail from our customers or vendors is being blocked. I know that changing public MX records can take sometimes crazy amounts of time to propagate based on doing this at a former employer. Believe it or not back then (6 years ago) I was still seeing legit SMTP traffic coming in from customers and vendors a full month after having made the public DNS change. I'd like to avoid the possibility of losing revenue due to anti-spam policies. How can I monitor this inbound SMTP traffic via the Meraki Dashboard? Also is there any way to see past SMTP inbound traffic, via report or some other mechanism? TIA

1 ACCEPTED SOLUTION

It is a real ping.  Basically you have to log to a Syslog server.

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

 

You are better to allow the traffic through to an internal server and check its logs.  Then deny it again once you are happy.

View solution in original post

11 REPLIES 11
threeonesix
Here to help

I have no idea why the Subject of this post reads "Monitoring MR's with Nagios" as that is NOT what I entered. Weird.

Hi @threeonesix - Let me know what you'd like the title to be and I can update it for you!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here

I think I entered "Monitoring Inbound SMTP" or something like that. That would be more appropriate as I'm not using Nagios 😉

Thanks!

Adam
Kind of a big deal

If the traffic is NAT'd to your SMTP server couldn't you do the monitoring on that server? Alternatively you could mirror the port going to/from your mail server to whatever monitoring platform you wanted to use.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

I don't think so because the firewall rule takes precedence. The NAT publishing rule associates the inbound SMTP traffic with our Barracuda Email Security Gateway appliance, which then forwards accepted emails to our Exchange server. If the MX100 blocks an inbound SMTP connection attempt from 1.2.3.4 the Barracuda isn't going to show that traffic at all. So I think the monitoring has to be done at the firewall where the rule is in place to block SMTP traffic that does not emanate from Barracuda's public IP ranges. Is my thinking incorrect? Very well could be.

It is a real ping.  Basically you have to log to a Syslog server.

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

 

You are better to allow the traffic through to an internal server and check its logs.  Then deny it again once you are happy.

Pretty sure we already do employ syslog with this MX100 so I'll look into that.

 

An even better option might be to go on about my life and wait until our salespeople and supply chain employees complain that they're not receiving emails they are expecting  🙂

Go with plan-b. Go on with your life.

I really wanted to accept that as the solution but I'm afraid future humans will think we are lazy.  lol


@threeonesix wrote:

I think I entered "Monitoring Inbound SMTP" or something like that. That would be more appropriate as I'm not using Nagios 😉

Thanks!


Done! Cheers.

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here

Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels