I think that I was pretty clear about this in the sentence before the
one that you quoted. Most people running IMail do not have the option
of blocking access to SMTP (service providers for instance), and as long
as one can get to the SMTP service and the SMTP service is not patched,
it can be hacked.
I was clarifying this again because of a good deal of confusion before
about gateways stopping the exploits. They can help mask one's system,
but the only way to actually prevent the vulnerability is to either
patch or remove all SMTP access from such a server, at least to the
Internet. There are no SMTP Auth settings for IMail 8.x, and I'm not
sure that IMail 9.x is protected on the SMTP Auth port without this
patch anyway. Those that need to leave SMTP access open to the Internet
must either patch or use a proxy AND also firewall their server from the
Internet.
Those looking at a gateway specifically to resolve this issue will
mostly not find a complete solution due to not being able to firewall
their servers from the Internet.
Matt
Doug Traylor wrote:
All a script kiddie needs to do is point their exploit script at your
unprotected server's IP and it's toast. A gateway can't prevent that
from happening.
Not true in our case. A gateway does protect your server if it's the
only way to get to said server.
Our gateway AV works after the ASSP proxy and intercepts all incoming
email before Imail sees it. Connections to Imail are only made from
our AV gateway or internal email clients. A script kiddie would have
to use a non-malformed address and basically send a valid email with
valid addresses to even get to our Imail server after all connection,
recipient, and sender validation tests have passed the ASSP proxy and
our AV gateway. We patched anyway to protect against internal
attacks. ;o) I don't know how SSL and auth on port 587 would be
affected for those sites that have external users, but that isn't an
issue for pre 8.22 installs. On a similar note, ASSP can intercept
and protect against malformed addresses and such on a secondary listen
port for the purpose of smtp auth and can route it to Imail listening
on 587 or any other ip:port you like. Unfortunately, it can not
handle SSL connections for this purpose.
All that being said, I'll have to worry when an exploit is found for
my SMTP AV gateway, or ASSP. :o)
Doug Traylor
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
