Skip to main content

πŸ“ Azure VM Scale Set Instance allows public access to SMTP port 🟒

  • Contextual name: πŸ“ Instance allows public access to SMTP port 🟒
  • ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-smtp-traffic
  • Located in: πŸ“ Azure VM Scale Set

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Logic​

Description​

Open File

Description​

Ensure that Azure VM Scale Set Instances do not permit unrestricted inbound access to the SMTP port (TCP 25). Inbound SMTP traffic should be explicitly restricted within Network Security Groups to prevent exposure to the public internet via open IP ranges such as 0.0.0.0/0.

Rational​

Unrestricted access to SMTP (port 25) can result in the unauthorized use of your VM for sending email, often leading to abuse such as spam or malicious email relay. This behavior can cause your public IP addresses to be blacklisted, impact email deliverability, degrade your organization’s reputation, and potentially violate compliance and acceptable use policies. Limiting SMTP traffic to trusted IP ranges or internal networks ensures controlled usage and mitigates the risk of misuse.

Impact​

Restricting SMTP access may require changes to existing mail services or relay configurations. Ensure that any legitimate email functionality is maintained through approved channels to avoid disruption to business-critical communications.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access69