⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Azure → 📁 Virtual Machine

🛡️ Azure Virtual Machine allows public access to SMTP port🟢

• Contextual name: 🛡️ Virtual Machine allows public access to SMTP port🟢
• ID: /ce/ca/azure/virtual-machine/allows-unrestricted-smtp-traffic
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Virtual Machine
  • 🔌 Azure Network Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that Azure Virtual Machines do not permit unrestricted inbound access to the SMTP port (TCP 25). Inbound SMTP traffic should be explicitly restricted within Network Security Groups to prevent exposure to the public internet via open IP ranges such as 0.0.0.0/0.

Rational

Unrestricted access to SMTP (port 25) can result in the unauthorized use of your VM for sending email, often leading to abuse such as spam or malicious email relay. This behavior can cause your public IP addresses to be blacklisted, impact email deliverability, degrade your organization’s reputation, and potentially violate compliance and acceptable use policies. Limiting SMTP traffic to trusted IP ranges or internal networks ensures controlled usage and mitigates the risk of misuse.

Impact

Restricting SMTP access may require changes to existing mail services or relay configurations. Ensure that any legitimate email functionality is maintained through approved channels to avoid disruption to business-critical communications.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

• If the rule is not required: Remove the rule entirely.

• If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI

1. Delete the rule:

   az network nsg rule delete \
     --resource-group {{resource-group-name}} \
     --nsg-name {{nsg-name}} \
     --name {{rule-name}}

2. Restrict the rule:

   az network nsg rule update \
       --resource-group {{resource-group-name}} \
       --nsg-name {{nsg-name}} \
       --name {{rule-name}} \
       --source-address-prefixes {{trusted-cidr}} 

   Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Public and Anonymous Access			80		no data