Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Permit or Proxy - SMTP
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Fri, 24 Nov 2000 14:31:45 -0500

On Fri, Nov 24, 2000 at 10:10:48AM +0000, Craig.Martin () faht scot nhs uk wrote:
I've just received a request from a colleague that looks after our exchange server.  Currently I have port 102 opened 
up to allow x.400 mail to be sent to a relay host.
But, the new request has asked for port 25 (smtp) to be opened up.  I'm a bit concerned about this and was wondering 
if anyone could (roughly) give some advice on the pitfalls in doing so.

My Gut reaction is to tie down the destination IP address for outgoing then just permit replies from the same 
external host and probably proxy it too.  However, my colleague has also asked if this could be allowed to all 
external hosts.  This is the part that concerns me.

So...the question is...1) permit or proxy and 2) what's the risks here

This is a pretty standard thing to do.  You should have a proxy on your
firewall for SMTP already, that you can enable.  If, as you imply, you
have one internal and one external SMTP server, then you can configure
the proxy to allow SMTP between those two only.  However, this would be
an unusual configuration (to have one inside and one outside).  Usually,
an SMTP proxy must be configured to allow incoming e-mail from anywhere
and outgoing e-mail to anywhere.

Your SMTP proxy must be configured NOT to allow e-mail from the outside
to the outside, or else it will likely be found by spammers and used as
a third-party relay.  Even more likely, it will be put in one of the
popular SPAM-prevention databases and shunned.

Most SMTP proxies can further be configured to use one of said popular
SPAM-prevention databases, to shun any e-mail that might remotely be
SPAM; but I would only do that if I knew I had a SPAM problem.  All it
takes is one false positive rejection to or from a Very Important Person
Indeed ...  ;-)

Some SMTP proxies also have a hook to allow examining incoming and
outgoing e-mail for various active content that migh host malicious
code.  If you enable this, be sure NOT to let your users think that
this in any way relieves them of the responsibility to do virus-checking
at the desktops.  This may require underselling the virtues of the SMTP
virus-scanning software.  As all virus-scanning software is imperfect,
anyway, this should not be a problem.

Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
This message is not an official statement of COSPO policies.

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]