Richard Frovarp wrote:
You could just as well lock down 25 on your outgoing and call it good.
Only problem is 25 is blocked at the edge of some networks and you users
won't be able to send to you. There is nothing inherently more secure
about using the submission port.
The things being discussed are useful for controlling relaying, but
they're not what I use for containing viruses. Trying to segregate some
networks into "port 25 only" and others into "port 587 only" will
prevent roaming users (a bad thing to prevent), and wont really improve
things on the anti-virus side ... especially once virus authors figure
out how to extract passwords from locally installed mail clients.
What I do for containing viruses is:
1) block all dangerous attachments (.com, .exe, etc.). I block them
during the SMTP session. The only one that's really heavily been used
by known viruses, that I haven't blocked, is .zip. For .zip, I block
encrypted/password-protected .zip files, but let plain .zip files through.
2) virus scan _everything_ (SMTP-AUTH or not). I block detected viruses
during the SMTP session.
I do it in that order, so that the easier/lighter-cpu-weight check is
done before the heavier-cpu-weight check.
