MikroTik

We need to add a rule that would block/drop all outgoing mail except destined for certain mail servers. What is the best way to do this? Still new to MT, but learning lots!

Eric

Alternatively you can redirect all port 25 traffic to one of your mail servers with a NAT rule instead of just dropping SMTP to mail servers you don't know about.

destined to certain servers, or sent via certain servers? RouterOS can't filter messages, that you need to do in the mail server that sends them.

Destined to certain servers. We just want to drop everything that isn't meant for our specific mail servers.

Destined to certain servers. We just want to drop everything that isn't meant for our specific mail servers.

destination of the email message is inside the message. filtering based on that can only be done if you are the SMTP server that sends it. not possible on RouterOS

Destined to certain servers. We just want to drop everything that isn't meant for our specific mail servers.

destination of the email message is inside the message. filtering based on that can only be done if you are the SMTP server that sends it. not possible on RouterOS

We changed out our core router for MT. With our previous router, we had it setup so that it would drop Bots and Worms that were being sent out by infected client computers. So if emails were sent out from client machines that used any email servers other than ours they were dropped.

Some of our professional clients had other company email servers that they used for their business, in this case we would add the ip address of their email server to our list of "approved" Email servers and their email would go through as well.

I still need to get the setup because our upstream provider is whining about it. Any help on this would be appreciated, Thanks

Eric

RouterOS cannot do that.

You want to block any new connections from your localnet clients to other email servers than yours for outbound email? This should do: Replace xx.xx.xx.xx with your email sever ip.

You want to block any new connections from your localnet clients to other email servers than yours for outbound email? This should do:

Code: Select all

/ip firewall filter
add chain=forward protocol=tcp port=25 connection-state=new dst-address=!xx.xx.xx.xx action=drop

Replace xx.xx.xx.xx with your email sever ip.

Thanks for the quick reply, how do I add the list of email servers that are ok to send to?

Make an address list enumerating all the servers and use the line Tim gave you with a slight modification to check the address list rather than the destination address directly:
Completely missed that you weren't trying to block content, just destination.

Then use these instead: Then put the good server ips (including yours) in EDIT: I added "connection-state=new" to each above.

I see fewi already answered. His is the same with one less entry.

Got my list created and all looks good there, however when I type in the last line I get the following:

[admin@www.mikrotikrouter.com] /ip firewall filter> add chain=forward protocol=t
cp port=25 connection-state=new dst-address=!OK-smtp action=drop
value of range must have ip address before '-'
[admin@www.mikrotikrouter.com] /ip firewall filter>

Make an address list enumerating all the servers and use the line Tim gave you with a slight modification to check the address list rather than the destination address directly:

Code: Select all

/ip firewall address-list
add list=OK-smtp address=1.1.1.1
add list=OK-smtp address=2.2.2.2
/ip firewall filter
add chain=forward protocol=tcp port=25 connection-state=new dst-address=!OK-smtp action=drop

Completely missed that you weren't trying to block content, just destination.

That should have been "dst-address-list=!OK-smtp", not "dst-address". That is why I use my way. I can see easier what is being accepted and what is being dropped. I have not tried "dst-address-list=!address-list".