โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to SMTP port๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to SMTP port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-smtp-traffic - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups do not permit unrestricted inbound access to the SMTP port (TCP 25). Inbound SMTP traffic should be explicitly restricted within Network Security Groups to prevent exposure to the public internet via open IP ranges such as 0.0.0.0/0.
Rationalโ
Unrestricted access to SMTP (port 25) can result in the unauthorized use of your VM for sending email, often leading to abuse such as spam or malicious email relay. This behavior can cause your public IP addresses to be blacklisted, impact email deliverability, degrade your organizationโs reputation, and potentially violate compliance and acceptable use policies. Limiting SMTP traffic to trusted IP ranges or internal networks ensures controlled usage and mitigates the risk of misuse.
Impactโ
Restricting SMTP access may require changes to existing mail services or relay configurations. Ensure that any legitimate email functionality is maintained through approved channels to avoid disruption to business-critical communications.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |