Hi all,
I'm new to IMail Server and this group (less than 24 hours) and don't want to create waves. I've reviewed Len Conrad's web sites and have great respect for what he's accomplished with IMGATE. (I'm considering getting it to augment my IMail and Norton Antivirus for Gateways.)
--On Wednesday, March 05, 2003 9:01 AM -0600 Len Conrad <LConrad@Go2France.com> wrote:
> I've never heard of an MTA using IDENT to accept/refuse mail. A lot of
> security people have a hard time justifying why 113 is worth allowing
> access.
I can state with authority that I've personally seen SMTP servers that I run fail to connect to other remote SMTP servers (or connect only after long delays) when I first installed my firewall and did not open Port 113. Steve Gibson of GRC.COM is very well respected in Internet security matters. He offers good insights at <http://grc.com/faq-shieldsup.htm#IDENT>. While reading his site, keep in mind that he strives for fully "stealthed" PC's. This is not generally achievable when running a server like IMail which is by nature exposed to the Internet at some level. Hiding Port 113 generally is done to completely hide the existence of a computer; servers generally don't have that luxury, so exposing port 113 isn't really giving away any secrets.
Mike K. (not me) wrote:
>Here's what Ipswitch says.
>http://support.ipswitch.com/kb/IM-19980513-ES01.htm
>No port 113
This is true. IMail does not itself use Port 113. But when IMail attempts a connection with another SMTP server, that remote server MIGHT attempt to Ident the IMail machine on port 113. (Most don't but some do.) IMail does not use port 53 (DNS) either, but the last line of the Ipswitch article notes "By the way, DNS uses port 53." The article might also have said "By the way, IDENT/AUTH uses port 113."
Len wrote:
>fwiw, I never run identd on IMGate servers and have never had any problems.
Steve Gibson makes the distinction between Open, Closed, and Stealthed ports. It may only be stealthed ports that cause the problem. So perhaps not running identd appears as a closed port which might be good enough to prevent problems.
My advice to the original poster is to open port 113 and see if the problem goes away (in addition to adding UDP to port 53). For those who keep port 113 closed or stealthed, I would carefully examine logs to see if any outbound messages are failing or running sluggishly. My experience was that only a small percentage of messages were affected by the port 113 issue. So the problem warrants careful attention.
I hope this is helpful.
Sincerely,
Michael Keen
http://www.inksite.com
- RE: [IMail Forum] off topic DNS/Security Tom
- RE: [IMail Forum] off topic DNS/Secu... R. Scott Perry
- RE: [IMail Forum] off topic DNS/Secu... Len Conrad
- Re: [IMail Forum] off topic DNS/Security Rod Dorman
- Re: [IMail Forum] off topic DNS/Security Len Conrad
- RE: [IMail Forum] off topic DNS/Security Jason Newland
- RE: [IMail Forum] IP Security Uhte, Russ
- RE: [IMail Forum] IP Security Michael Keen
- RE: [IMail Forum] IP Security Len Conrad
- Re: [IMail Forum] IP Security Michael Keen
- Re: [IMail Forum] IP Security Smart Business Lists
- Re: [IMail Forum] IP Security Michael Keen
- Re[2]: [IMail Forum] IP Sec... Sanford Whiteman
- Re: Re[2]: [IMail Forum] IP... Michael Keen
- Re[4]: [IMail Forum] IP Sec... Sanford Whiteman
- Re: [IMail Forum] IP Security R. Scott Perry
- Re: [IMail Forum] IP Security Mike K
