Re: SMTP Firewall

[Randy Witlicki <randy.witlicki () valley net>]

  Our Pal Roy wrote:

> I have a customer who's E-Mail department requested a seperate dedicated
> SMTP
> only FW.  I can think of no reason to deny this request, but also am
> having difficulty finding reasons to allow it.  I put it to the list, is
> there benefits or risk in allowing this type of configuration?
>
> Thanks

  Risks:
    - Another box to administer/lock down/worry about (will you get
the additional personnel to admin. this box, or will your resources
be spread thinner?).
    - Power/Admin. issues - is this the turf of the "E-Mail department"
and will the power lusers in that department want access to the box.

  Benefits:

   - I can block all but SMTP needed traffic with router access lists.
   - inetd.conf will be really short.
   - The performance should be reasonable.  (Do they want virus scanning
of incoming email also ?)
   - If they break into the box itself, they can only dick with
mail stuff (it has no trust relationship with anything else as far
as non-mail stuff right ?)  HOWEVER - they can download a sniffer
such as tcpdump and listen to the local ethernet segment (if this is
not on a dedicated switch port).

   So, would I do this and sleep well at night ?
   I would say to management - "This is the cost - hardware, install
and ongoing personnel time, an IP address slot.  I need control of
the box."
   If management says do it and spend the money, then I would sleep well.

  - Randy
 -