No one has mentioned restricting the commands on the server like VRFY and
HELP etc... If you cant verify a name on the server then the person who is
faking emails from your server will have a harder time of sending emails
from your server.
One of the main problems I have seen with mail servers is that people leave
them wide open to be used as a mail relay, one way to help reduce this is
to use your ISPs mail servers as the entry and exit point for mail. This
way you only need to set your mail server or firewall to allow SMTP
connections to your mail server from their mail server thus reducing the
chance of having your mail sever being used to send spam mail. Also I
strongly advise you turn relaying of on you mail server as this will get
rid of a lot of the fake emails being sent from your server, but if you can
don the above this should stop the problem anyway.
Although no matter what you do, someone could still fake an email to from
another mail server but using your domain so still making you the brunt of
any backlash that may occur from someone spamming people with your email
address.
The internet isn't it wonderful :)
Rgds
Alex
"Bill Royds"
<[EMAIL PROTECTED]> To: "Chris Keladis"
<[EMAIL PROTECTED]>, "Bill Royds"
Sent by: <[EMAIL PROTECTED]>
firewalls-admin@list cc: <[EMAIL PROTECTED]>, "'Paul D.
Robertson'" <[EMAIL PROTECTED]>,
s.gnac.net <[EMAIL PROTECTED]>
Subject: RE: Restrict telnet to
port 25 via firewall.
31/03/2002 03:26
The mconnect (Mail connect) actually follows the SMTP convention, not the
telnet convention.
That is it does port 25 3-way handshake, then waits for a complete line
before transmitting etc.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris
Keladis
Sent: Sat March 30 2002 20:18
To: Bill Royds
Cc: [EMAIL PROTECTED]; 'Paul D. Robertson'; [EMAIL PROTECTED]
Subject: Re: Restrict telnet to port 25 via firewall.
Wouldn't it be possible to detect telnet negotiation (OOB) going on and
drop the connection?
I agree with Paul however, these measures wont stop abuse of tcp/25, but
it makes an interesting thread at least :)
Regards,
Chris.
Bill Royds wrote:
> The Symantec Enterprise Firewall (old Axent Raptor) actually does
> this, but it can be fooled by using a better SMTP emulator like the
> Solaris mconnect command. It still helps a little.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Randy
> Smith
> Sent: Sat March 30 2002 16:52
> To: 'Paul D. Robertson'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Restrict telnet to port 25 via firewall.
>
> One possibility I have not heard discussed would be to write
> a wrapper that can distinguish the difference between
> protocol messages sent by an SMTP program and a person
> composing them at a Telnet prompt. The former would likely
> arrive as a single packet per protocal message, while the
> latter would likely arrive as a single character per packet
> (Telnet generally does not buffer lines). Another option
> might be to send back a Telnet control/negotiation message -
> an SMTP program would likely ignore it, while a Telnet
> program would respond. I havent tried either of these
> approaches, but think they would detect most user attempts
> to spoof SMTP using Telnet.
>
> - Randy Smith
>
> ----Original Message-----
>
> >From: Paul D. Robertson
> [SMTP:[EMAIL PROTECTED]]
>
> >To: [SMTP:[EMAIL PROTECTED]]
>
> >Cc: [EMAIL PROTECTED]
>
> >Subj: RE: Restrict telnet to port 25 via
> firewall.
>
> >Sent: Monday, March 25, 20023:38 AM
>
> >
>
> >On Mon, 25 Mar 2002, Navin Mehra/MUM/IN/STTL wrote:
>
> >
>
> >> Date: Mon, 25 Mar 200214:25:35 +0530
>
> >> From: Navin Mehra/MUM/IN/STTL
> <[EMAIL PROTECTED]>
>
> >> To: Madhur Nanda <[EMAIL PROTECTED]>
>
> >> Cc: [EMAIL PROTECTED]
>
> >> Subject: RE: Restrict telnet to port 25 via firewall.
>
> >>
>
> >>
>
> >> Thanks for the feedback.
>
> >> But the problem is anybody can compose a mail, via
> telneting to port 25.
>
> >
>
> >Mail is spoofable. That's a flaw in the protocol.
> Telnet isn't the only
>
> >way to spoof mail.
>
> >
>
> >> and then impersonatting the person can send a mail on
> his behalf. Can i
>
> >> enable any sort or authorisation on the pix firewall
> or is there a setting
>
> >> in the Lotus Notes server R5.
>
> >
>
> >If you want the machine to receive mail from the
> Internet, the best you
>
> >can do is to ensure it's not an open relay. As
> mentioned, there are
>
> >client-side mail integrity solutions like S/MIME and
> PGP/GPG.
>
> >
>
> >If you're relying on SMTP for authenticity, you need to
> either switch
>
> >mechanisms or add client-side validation, or accept the
> fact that the
>
> >protocol has major flaws.
>
> >
>
> >Paul
>
>
> >
-----------------------------------------------------------------------------
>
> >Paul D. Robertson "My statements in this message
> are personal opinions
>
> >[EMAIL PROTECTED] which may have no basis
> whatsoever in fact."
>
> >
>
> >_______________________________________________
>
> >Firewalls mailing list
>
> >[EMAIL PROTECTED]
>
> >http://lists.gnac.net/mailman/listinfo/firewalls
>
> >
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
