Tue Dec 10, 2024 7:53 pm
The log message clearly indicates that it is the Mikrotik itself that initiates the TCP connections to port 25 - it says output which is the firewall chain that handles packets sent by the router itself, and it says in:(unknown 0) which says the same in another way (packets sent by the router itself have no in-interface to be printed at this place of the message template).
So in the better case, you have misconfigured the /tool e-mail or some script; in the worse one, some malware is squatting on your router and trying to send spam. This normally means that you are not the only administrator of your router as the malware must obtain the spam contents to distribute and the list of addressees, so it has to talk to some control center.
So by just preventing the router from initiating SMTP connections, you will prevent it from getting blacklisted, but it won't prevent that hypothetical malware from doing something else.
What does /tool e-mail export show (before posting, obfuscate any usernames and passwords if set!)? What does /system logging action print where target=email show? Do you have any scripts that contain tool e-mail send?