> I've never heard of an MTA using IDENT to accept/refuse mail. A lot of > security people have a hard time justifying why 113 is worth allowing > access.
I can state with authority that I've personally seen SMTP servers that I run fail to connect to other remote SMTP servers (or connect only after long delays) when I first installed my firewall and did not open Port 113.
There are always occasional "bozo mailservers" that do weird things to try to block spam, that just don't work (such as making sure that the reverse DNS entry of a mailserver matches the domain name in the return address of the E-mail).
I hear all the horror stories about E-mail that can't be delivered for various reasons, but have never either heard of someone's E-mail not being delivered due to the lack of an ident server, nor have I ever heard of anyone who uses it as part of their spam control.
If you run a firewall that drops packets (which violates the RFCs, IIRC), it would cause delivery delays to mailservers that check the ident.
However, it should be noted that very few mailservers have ident set up. And, opening a port for ident does reduce security.
Steve Gibson of GRC.COM is very well respected in Internet security matters. He offers good insights at <<http://grc.com/faq-shieldsup.htm#IDENT>http://grc.com/faq-shieldsup.htm#<http://grc.com/faq-shieldsup.htm#IDENT>IDENT>. While reading his site, keep in mind that he strives for fully "stealthed" PC's. This is not generally achievable when running a server like IMail which is by nature exposed to the Internet at some level. Hiding Port 113 generally is done to completely hide the existence of a computer; servers generally don't have that luxury, so exposing port 113 isn't really giving away any secrets.
There's a big difference here that you may be overlooking:
[1] A server that runs ident, with a firewall that allows port 113 access, [2] A firewall that blocks port 113 access, [3] A firewall that stealths port 113.
I am against #1, as it does reduce security to some (probably very minor) extent.
#2 will cause no problems with the few mailservers that do ident lookups, and will not cause any security problems (except that a hacker might know that a server is present at that IP).
#3 is against the RFCs, and would slow down connections to mailservers that check ident.
This is true. IMail does not itself use Port 113. But when IMail attempts a connection with another SMTP server, that remote server MIGHT attempt to Ident the IMail machine on port 113. (Most don't but some do.) IMail does not use port 53 (DNS) either, but the last line of the Ipswitch article notes "By the way, DNS uses port 53." The article might also have said "By the way, IDENT/AUTH uses port 113."
Since IMail doesn't use ident, there is no point to having it open on the firewall. A remote mailserver won't be able to make the connection, whether or not the firewall allows ident packets through.
My advice to the original poster is to open port 113 and see if the problem goes away (in addition to adding UDP to port 53).
If it does cause the problem to go away, the firewall is operating in stealth mode (which is done almost exclusively by software or personal firewalls). Stealth mode has inherent drawbacks.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
