In our company we have a small business router (Cisco RV082) on which we are using its standard configuration (block all incoming traffic). We also have an SMTP relay configured (using WS2008R2) so that our internal applications can send email through google apps (which requires authentication).
The thing is that the server was being used to send spam. We fixed the problem by only allowing the server to relay email from our internal IP address range (10.0.0.0/16).
My concern is that there was a way by which external IPs connected to the network and that underlying problem has not been fixed, but I cannot imagine how these machines connected.
Any thoughts?
Best Answer
If restricting your relay addresses to private fixed the problem, one possibility is that your SMTP port is open for inbound traffic. The port will frequently need to be at least slightly open in order to receive email. However, you'll want to restrict the opening to just allowing connections originating from servers that you want to receive email from (I.e. whatever ip range you were given by google apps for email).
Basically, it sounds like two things were happening:
1) Firewall wasn't limiting access to your SMTP port, and was allowing traffic to pass through from an untrusted source.
2) Your email server was relaying all email instead of just stuff from the internal network.
You fixed 2, which will work and should take care of the problem. However, you'll want to look into problem 1 as well to be more secure.