> Ultimately, anything unprotected that accepts unauthenticated mail > for your local domain--even if on a non-well-known port--will be > vulnerable. . .
Clarifying this note a bit more: even running on port 2525 will not be enough, eventually. SMTP is clearly becoming "just another service" to the spammers-cum-hackers syndicate, and as such is a service with a glaring and _vendor-independent_ attack vector in unauthenticated local delivery. So running an SMTP daemon that (a) accepts mail locally for your domain, b) is incapable of elevating the privileges of (i.e. whitelisting) only mail sent by via authenticated IPs or credentials, and (c) does not have anti-spam policies equivalent to those of your registered MXs, is akin to running, say, a webserver with a known DoS vulnerability on port 22222 and thinking you'll be A-OK. The long-term solutions, as they would be with the webserver situation, are: - hide the server from the public and require a VPN connection - deploy an SMTP daemon listening on port 587 that only accepts authenticated mail, while matching credentials to your same mailbox userbase. It is possible to do this using a separate IMail server, or with MS SMTP and IMail's NT integration, and I'm working on some scripts to get it working with MS SMTP and the IMail native database. - use a technology such as the mailbox-POP3-before-gateway-SMTP setup that I believe has been written for PostFix as part of the IMGate howto created by Len Conrad. Note that I firmly do not believe that requiring users to use their ISP's SMTP server is a valid tactic due to the abiding (and, I have seen, growing) problems of provider reliability, the client configuration complexity (multiple credentials, etc.), and its inappropriateness for corporate environments where incoming and outgoing mail requires archiving and/or disclaimers. For some, it may be acceptable. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
