Is there a reason why you can't stay with the old version of GTA's firewall?
--- "Christopher A. Congdon" <[EMAIL PROTECTED]> wrote: > Lately, I have been encountering all sorts of problems concerning > SMTP > Proxies. My latest fiasco was when we upgraded our Cisco router with > security > software, and suddenly, none of our users can send e-mail anymore. It > turns > out that Cisco has functionality called SMTP Fixup, which is an SMTP > proxy > similar to the SMTP Proxy functionality on GTA's firewalls. Now > Cisco, as well > as GTA, seem to consider ESMTP as a security risk. Exactly what I was > told by > GTA is: > > >Mail Sentinel SMTP proxy only supports a subset of SMTP commands and > >does not support ESMTP. This was done on purpose to limit > unauthorized > >access to the internal mail server. The only commands that are > >acceptable are: HELO, MAIL FROM, RCTP, DATA, RSET, NOOP and QUIT. > We've > >successfully been using this subset of SMTP command in our proxy > since > >1994. > > I can understand some folks taking the stance of 'If it ain't broke, > don't fix > it'. However, the SMTP standard is about 23 years old! RFC821 written > in > August 1982 covers the SMTP feature set. And if you read this RFC, > you'll see > that SMTP has barely changed since it was first written. In order to > address > the additional functionality that was lacking in SMTP, the ESMTP RFC > was > written in RFC1425 in February 1993. In this intervening time, > security > companies seem to think that there is no need to upgrade to support > this > additional functionality. The e-mail server I bought as well as the > e-mail > clients I have bought support this functionality. But, if I want to > ensure > security, my security device actually destroys this functionality. > Cisco goes > so far as to actually FORGE messages between the server and client > when ESMTP > communications is attempted. If you send EHLO through Cisco Fixup, it > receives > this and then sends a NOOP to the server. The server then responds > with a 250 > OK, but the Cisco instead passes on a 550 to the client. (I watched > this > happen through a packet sniffer on my mail server, which was when I > finally > isolated the problem). > > Is there no way to write a proxy to make it secure with ESMTP? What > exactly is > this potential 'unauthorized access' that could occur on my server if > I use > ESMTP that you are trying to protect me from? What other alternatives > do I > have to secure my server from being an open relay yet still allows my > users to > send e-mail? (Personally, it would be too difficult for me to use IP > based > security since my customers are on a diverse number of ISPs, each > with their > own peccadilloes when you attempt to send mail outbound through their > servers > instead). In the end, ESMTP isn't optional for me; it's a necessity, > especially since I have a couple of new clients coming on board that > wish to > use ETRN services. > > This is not an attempt to slam GTA for its choices (Although I'll be > happy to > slam Cisco for actually forging messages). It is just a request for > you folks > to re-visit these choices and discuss why this course of action has > been taken > and has not changed since 1993. I would like to be able to use the > Mail > Sentinel Anti-Virus to keep watch over my network, but not at the > expense of > security or functionality of my existing network. > > Christopher Congdon > Network Engineer > Congdon Web LLC > 317-920-9601 > > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://archives.gnatbox.com/gb-users/ > > __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
