[CITL] On-Campus SMTP-AUTH Restrictions

Jonathan L Ocab jonathan.ocab at ucr.edu
Tue Aug 15 12:54:38 PDT 2023 

A few weeks ago, an email with subject line "Removal of SMTP authentication exemption for VPN users" was sent to CITL, announcing the intent to remove the Exempt-from-SMTP-AUTH rule for campus VPN networks.

This yet-to-be-executed change has been pulled and modified with expanded scope.

The ISO will be requesting ITS Infrastructure make the following changes for the on-campus UCR SMTP servers (smtp.ucr.edu) within the next few weeks:

  1.  Block all off-campus SMTP-AUTH access, except for explicitly allowed domains (e.g., Google, Outlook, AWS, GCP, etc.)
  2.  Block all campus VPN SMTP-AUTH access

The first change will affect anyone who is using legacy methods of sending email using their UCR account from home or any other remote location. These users will need to use the O365 or Google Mail SMTP servers, respectively, per established and documented procedures by UCR ITS and/or O365 or Google.

Based on historical data, we have identified system/service email from various SaaS solutions, and these will be placed on the allowed list. Also, approximately 15 unique NetIDs have been identified as making an SMTP-AUTH from a remote IP that is not on an expected domain (e.g., Google). ITS will be reaching out to the identified users to inform them of this change and provide assistance to reconfigure their email clients as applicable.

The second change above will prevent anyone on the campus VPN from using the on-campus SMTP servers to send mail, with or without authentication. Users on the VPN will need to reconfigure their email clients to use the appropriate SaaS email servers.

The changes outlined will NOT affect on-campus, non-VPN access to the on-campus SMTP servers.

These changes are prompted by a need to mitigate misuse of our SMTP servers by external threat actors who have been using the UCR on-campus SMTP servers to attack the UCR community as well as several universities nationwide and internationally. Furthermore, this change will emphasize the best practice of using the applicable SaaS email platforms (Google Mail / R'Mail or O365) in the supported manners.

If there are any questions or concerns, send them directly to me. If you have any specific exemptions that you want to ensure are added, you may also send those to me, and I will relay those to the ITS Infrastructure team.

Thank you.


---
Jonathan Ocab | jonathan.ocab at ucr.edu<mailto:jonathan.ocab at ucr.edu>
Manager, Information Security Operations
Information Security Office
University of California, Riverside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20230815/74e48f4f/attachment.html>

More information about the CITL mailing list