I know this is a noob question, but I haven't been able to find an answer on exactly what I'm looking for.
My mail server was recently blacklisted due to being infected with cutwail. Part of the de-listing instruction is to block port 25, specifically:
"The simplest and most effective way to stop this is to configure your NAT to prohibit connections to the Internet on port 25 except from real mail servers. Not only does this stop all of these viruses and spams dead in their tracks, the NAT logs will immediately tell you the LAN address of the infected machine."
Looking through our ISA rules (I inherited this setup, so I'm not familiar with everything on it), we have two pertaining to SMTP: one to allow all from local host to external, and one to allow all from external to local host. I assume this isn't what I want.
So to be compliant, I would like to block port 25 on our SBS 2003. We only have this one server, which provides us with NAT as well as acts as our Exchange server.
How do I, as they request, "block port 25 except from real mail servers" without interfering with our email functionality?
I've had clients in similar situations, usually the SBS server itself isn't the actual source of the infection. It was either a client machine sending out on port 25 directly or it was using the exchange server as a relay to get out.
Usually within your firewall you want to block port 25 for everything (preferrably block all ports from wan to lan) and then set up a specific port forwards from the firewall to your sbs server as needed. You can then also block outbound traffic on port 25 for any device not designated as your email server. Since your Server is also working as your firewall then the rule that 'allows all smtp from localhost to external' is actually compliant with what they're asking. But since all internet access is already going through the server its not having the affect that they want. You can try adding a rule that blocks smtp from your local network range to the local host, but that still leaves your server open to attack.
The right thing to do to decrease the exposure of your SBS 2003 box is to either purchase or configure a router for use as your firewall instead of the server. And then use the firewall as the gateway for your network instead of the Server.
You can't shut down port 25 for your SBS server because, as others have mentioned, that will shut down outgoing mail from Exchange.
It sounds like the 2 ISA rules you have for SMTP have it covered. If I remember correctly (this is going back a ways) ISA operates with a deny all by default mentality and you have to open what you need opened. From that perspective you're configured correctly with those rules.
If your Exchange server was infected then there wouldn't be anything you could do other than to keep it up to date with good A/V software.
Beyond that, I'd suggest contacting your ISP and going over things with them to appeal the blacklist. You'll need to prove that you're not vulnerable, or at least as secure as you can make it. Even then it'll be up to them based on their terms and conditions.