RE: Restrict telnet to port 25 via firewall.

[Bill Royds]

The Symantec Enterprise Firewall (old Axent Raptor) actually does this, but it can be fooled by using a better SMTP emulator like the Solaris mconnect command. It still helps a little. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randy Smith Sent: Sat March 30 2002 16:52 To: 'Paul D. Robertson' Cc: [EMAIL PROTECTED] Subject: RE: Restrict telnet to port 25 via firewall. One possibility I have not heard discussed would be to write a wrapper that can distinguish the difference between protocol messages sent by an SMTP program and a person composing them at a Telnet prompt.  The former would likely arrive as a single packet per protocal message, while the latter would likely arrive as a single character per packet (Telnet generally does not buffer lines).  Another option might be to send back a Telnet control/negotiation message - an SMTP program would likely ignore it, while a Telnet program would respond.  I havent tried either of these approaches, but think they would detect most user attempts to spoof SMTP using Telnet.   - Randy Smith     ----Original Message-----    >From:         Paul D. Robertson [SMTP:[EMAIL PROTECTED]]    >To:           [SMTP:[EMAIL PROTECTED]]    >Cc:           [EMAIL PROTECTED]    >Subj:         RE: Restrict telnet to port 25 via firewall.    >Sent:         Monday, March 25, 2002 3:38 AM    >    >On Mon, 25 Mar 2002, Navin Mehra/MUM/IN/STTL wrote:    >    >> Date: Mon, 25 Mar 2002 14:25:35 +0530    >> From: Navin Mehra/MUM/IN/STTL <[EMAIL PROTECTED]>    >> To: Madhur Nanda <[EMAIL PROTECTED]>    >> Cc: [EMAIL PROTECTED]    >> Subject: RE: Restrict telnet to port 25 via firewall.    >>    >>    >> Thanks for the feedback.    >> But the problem is anybody can compose a mail, via telneting to port 25.    >    >Mail is spoofable.  That's a flaw in the protocol.  Telnet isn't the only    >way to spoof mail.    >    >> and then impersonatting the person can send a mail on his behalf. Can i    >> enable any sort or authorisation on the pix firewall or is there a setting    >> in the Lotus Notes server R5.    >    >If you want the machine to receive mail from the Internet, the best you    >can do is to ensure it's not an open relay.  As mentioned, there are    >client-side mail integrity solutions like S/MIME and PGP/GPG.     >    >If you're relying on SMTP for authenticity, you need to either switch    >mechanisms or add client-side validation, or accept the fact that the    >protocol has major flaws.    >    >Paul    >-----------------------------------------------------------------------------    >Paul D. Robertson      "My statements in this message are personal opinions    >[EMAIL PROTECTED]      which may have no basis whatsoever in fact."    >    >_______________________________________________    >Firewalls mailing list    >[EMAIL PROTECTED]    >http://lists.gnac.net/mailman/listinfo/firewalls    >