[CITL] On-Campus SMTP-AUTH Restrictions - Scheduled for 09/01 at 1900 PDT
Jonathan L Ocab
jonathan.ocab at ucr.edu
Fri Aug 18 10:34:51 PDT 2023
The changes to on-campus SMTP outlined earlier this week (see original message below) have been scheduled for Fri Sep 01 at 1900 PDT.
If you have any services that connect to the on-campus SMTP servers (e.g., smtp.ucr.edu) that are not in GCP or AWS and have not already notified me with this information, please reply to this email as soon as possible.
If you have any questions regarding these changes, feel free to contact me directly.
Thank you.
---
Jonathan Ocab | jonathan.ocab at ucr.edu<mailto:jonathan.ocab at ucr.edu>
Manager, Information Security Operations
Information Security Office
University of California, Riverside
________________________________
From: Jonathan L Ocab
Sent: Tuesday, August 15, 2023 12:54
To: citl at lists.ucr.edu <citl at lists.ucr.edu>
Subject: On-Campus SMTP-AUTH Restrictions
A few weeks ago, an email with subject line "Removal of SMTP authentication exemption for VPN users" was sent to CITL, announcing the intent to remove the Exempt-from-SMTP-AUTH rule for campus VPN networks.
This yet-to-be-executed change has been pulled and modified with expanded scope.
The ISO will be requesting ITS Infrastructure make the following changes for the on-campus UCR SMTP servers (smtp.ucr.edu) within the next few weeks:
1. Block all off-campus SMTP-AUTH access, except for explicitly allowed domains (e.g., Google, Outlook, AWS, GCP, etc.)
2. Block all campus VPN SMTP-AUTH access
The first change will affect anyone who is using legacy methods of sending email using their UCR account from home or any other remote location. These users will need to use the O365 or Google Mail SMTP servers, respectively, per established and documented procedures by UCR ITS and/or O365 or Google.
Based on historical data, we have identified system/service email from various SaaS solutions, and these will be placed on the allowed list. Also, approximately 15 unique NetIDs have been identified as making an SMTP-AUTH from a remote IP that is not on an expected domain (e.g., Google). ITS will be reaching out to the identified users to inform them of this change and provide assistance to reconfigure their email clients as applicable.
The second change above will prevent anyone on the campus VPN from using the on-campus SMTP servers to send mail, with or without authentication. Users on the VPN will need to reconfigure their email clients to use the appropriate SaaS email servers.
The changes outlined will NOT affect on-campus, non-VPN access to the on-campus SMTP servers.
These changes are prompted by a need to mitigate misuse of our SMTP servers by external threat actors who have been using the UCR on-campus SMTP servers to attack the UCR community as well as several universities nationwide and internationally. Furthermore, this change will emphasize the best practice of using the applicable SaaS email platforms (Google Mail / R'Mail or O365) in the supported manners.
If there are any questions or concerns, send them directly to me. If you have any specific exemptions that you want to ensure are added, you may also send those to me, and I will relay those to the ITS Infrastructure team.
Thank you.
---
Jonathan Ocab | jonathan.ocab at ucr.edu<mailto:jonathan.ocab at ucr.edu>
Manager, Information Security Operations
Information Security Office
University of California, Riverside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20230818/e88828d1/attachment.html>
More information about the CITL
mailing list