Harry Duncan <[email protected]> writes: >> When courier is forwarding mail to other MTA's on the net, is it >> possible to determine the origin ports it may use from the >> configuration? >> >> I'm just beefing up security and I want to firewall outbound >> traffic from the courier server but obviously don't want to block >> outbound smtp which presumably will originate on a high port >> number???? > > Source port should be unimportant for this purpose, only the target > port that you are trafficing to via the firewall.
>From a security perspective, this is not entirely ideal, IMO. If any malware should somehow manage to infect the server, it would be able to spew spam all over the net, easily, without knowing anything about the fact that it's running on a mail server, let alone specific configuration details. (Thus, it wouldn't have to be tailored to the specific situation; it could be a fully automated worm, for instance.) SPF would authorize such outgoing messages, since they would be coming from the correct IP address. Requiring a specific range of source ports to be used would be an additional barrier against this. Think of it as defense in depth. The malware in this case would have to *specifically* check for Courier and read its configuration. Which, depending on filesystem permissions, might require compromising the user account Courier runs out of (or root). Something that gets in via some other opening might not be able to do that, *even* if the malware author took Courier into account when writing the thing, which they probably wouldn't bother to do if it's a general-purpose automated attack. (Most spam-sending malware carries its own smtp implementation around, so it doesn't need to target mail servers specifically.) If 25 and 110 are the only ports you open, this is not a big deal. Anything that gets in on those ports is probably specifically targetted against mail servers, and very likely specifically Courier (not that I've heard of anything that targets Courier, but we're speaking in hypotheticals here). (That leaves non-remote attacks, but those are almost certainly targetted to the specific situation.) But when you start opening other ports (like, say, port 80 so you can do a web-based mail and admin interface, or port 22 so you can do remote command-line admin), you create the possibility for malware to get in that is NOT specifically aimed at Courier, and at that point the ability to block outgoing mail traffic that doesn't know the right source ports to use becomes relevant and useful, IMO. Yeah, I know, that's paranoid sysadmin thinking. -- Nathan Eady Galion Public Library ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
