Len, et. al,
IMail 8.x does not support Auth-only on any port, so it is not possible
to just simply work around the vulnerability in this way.
I agree that forcing SMTP Auth on the server itself would be best, while
leaving the MX related stuff to the gateway. Redirecting 25 to 587 on a
9.x server and forcing Auth would be best, but this setup requires port
redirection on a firewall so it is not a feature of a gateway, but it is
enabled by a gateway. The one caveat here is that IMail 9.x only allows
SMTP Auth connections when this is configured, the allow relay IP's
cannot be used with this. I do hope that Ipswitch makes a change that
also enables IP's to be specified in the place of logins when forcing
SMTP Auth.
I do not know that on vulnerable versions of 9.x where SMTP Auth is
supported, would be protected from the exploit by forcing Auth. I
certainly wouldn't assume this to be the case without verification. For
those on 9.x, the upgrade to 9.1 is mostly not an issue and the upgrade
path is clear. For those that are on 8.2x, the upgrade path is also clear.
For those that don't have an upgrade path to at least 8.22 with the
patch and need SMTP access to the Internet, they will need at least a
proxy/relay for client access, a gateway for MX traffic and their box
firewalled. You only need a gateway and a firewall if you don't need
SMTP access to the Internet for your own users like Doug, but this setup
is not common with IMail users. The only other solution would be IDS
and a definition for the exploit (there might already be generic ones
that exist on these systems as the exploit uses invalid characters in
the domain name portion of the address).
Alligate is the only gateway product that I am aware of that can also be
setup to proxy/relay SMTP Auth in real-time back to the server, but I
wouldn't recommend this configuration for just simply fixing this bug.
I believe that this capability exists in the product in order to ease
the transition to a gateway since most use the same names for MX and
SMTP access, but it is best to have these things be separate in which
case there should normally be no need to proxy/relay one's own customers
accessing SMTP. I'm sure there are other solutions for this in at least
Linux, but I am not familiar with them, and I don't believe that there
are any mainstream products available.
Matt
Len Conrad wrote:
I think that I was pretty clear about this in the sentence before the
one that you quoted.
with an front-end MX like IMGate taking raw Internet inbound, you can
really shut down via firewall access to the SMTP service, almost
completely hardending the SMTP service against attacks.
1. the firewall :
a. permits access to Imail port 587 for SMTP-AUTH only.
b. re-directs Imail port 25 to Imail port 587.
> Those looking at a gateway specifically to resolve this issue will
mostly not find a complete solution due to not being able to firewall
their servers from the Internet.
Exactly. Anyone not running packet-filtering firewall in front of them
mail system is really asking for trouble.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
