Firewall Wizards mailing list archives
RE: Permit or Proxy - SMTP
From: "Drage, Nicholas" <nickd () demon net>
Date: Fri, 1 Dec 2000 14:46:41 -0000
Hi,
-----Original Message----- From: Martin, Craig [mailto:Craig.Martin () faht scot nhs uk] Sent: Friday, November 24, 2000 10:12 AM
< snip - original poster considering opening up port 25 in the firewall to allow SMTP through >
My Gut reaction is to tie down the destination IP address for outgoing then just permit replies from the same external host and probably proxy it too. However, my colleague has also asked if this could be allowed to all external hosts. This is the part that concerns me.
Me too :)
So...the question is...1) permit or proxy
IMHO best method of doing this would be to allow SMTP from a single host inside your firewall to a single host outside your firewall and vice versa, as you suggest. As far as your internal mailserver is concerned all remote mail goes out to this SmartHost on the Net; and the MX records for your domain on the Net send all email to the external mailserver, which has a "static mail route" to send all email for your domain to your internal SMTP server. This also means the provider of the external SMTP server, which may be yourself, the NHS, or your ISP, has to deal with all the mail relaying issues - hopefully you can pass this on to someone else. Proxying is a good idea but if memory serves there have been problems with this on Cisco Pix, Checkpoint and even Borderware [1] ( best guess, see securityfocus.com for confirmation ), you're best off not depending on it. Personally I'd use a combination of packet filtering and host security instead, especially if you're only allowing email to and from one host. *Note* this does give you two problems: ONE - external SMTP server is a single point of failure, but to my mind that's a price worth paying for the security of this setup, YMMV. TWO - you're partly dependant on the security of the external SMTP server for the security of the internal SMTP server, so if the external SMTP server belongs to a third party that might be a problem. Apologies for vagueness, but I only know a little about the NHS security setup and that's from experience a few years back, so I'm not sure of the details that affect this. I would expect your colleague's request for SMTP to "anywhere" probably meant they wanted email, initially sent via SMTP, to go to anyone on the Net - rather than they wanted to contact any SMTP server on the Internet directly. However if your colleague wants SMTP from any box that isn't the official mailserver to any other mailserver on the Net, then alarm bells should be ringing... sounds like someone using a personal email program that looks up MX records and contacts the destination's mail server directly, or other "personal" email use.
and 2) what's the risks here
Anyone compromising your SMTP server has access to the internal LAN, and immediately your mail system. Sorry to be so blunt ( partly because my train is pulling into the station :) but it really is that simple. Of course if you just want *outbound* SMTP with no inbound SMTP at all, that's a different matter. Oh, and as always this is all my personal opinion and not that of my employer, but I'm sure they'd have some good ideas too. [1] Not the proxy in the case of Borderware, but the SMTP servers. This was some time ago though. -- Nick Drage - Security Architecture - Demon Internet - Laptop That which does not kill me, can only make me bleed all over the floor. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Permit or Proxy - SMTP Drage, Nicholas (Dec 02)
- RE: Permit or Proxy - SMTP Anton J Aylward, CISSP (Dec 02)
- <Possible follow-ups>
- RE: Permit or Proxy - SMTP Drage, Nicholas (Dec 02)