I recently had a Kerio Connect customer notice large amounts of mail in his mail queue. Upon investigation, these were being sent by a particular user. Further investigation showed them to contain viruses - obviously the account or a machine had been compromised.
This user should not have been relaying mail from outside of the local network. The default SMTP setting was to allow relaying for authenticated users because some users do need to do that, but most users did not.
There are a few ways to control this situation. One is to use a VPN and add the VPN addresses to the "local" IP address group and NOT allow SMTP relay for anyone not local. Ypu'd then give VPN access to those who need it.
If that's not practical, Kerio User Access Policies provide another method. You'd define a restrictive policy and apply that to the users who do NOT need to relay from outside (or reverse that and make not allowed the default, adding a new "allow" policy for those who need to relay).
The policy is simple for Restrict - it can be "All protocols" (which of course only means those that are enabled) but allowed only to local clients.
Once defined, we assign that policy to the users who should not have outside access.
With this in place, a compromised account cannot be used from outside the building.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2013-12-12 Anthony Lawrence