RE: Permit or Proxy - SMTP

["Drage, Nicholas" <nickd () demon net>]

Hi,

> -----Original Message-----
> From: Martin, Craig [mailto:Craig.Martin () faht scot nhs uk]
> Sent: Friday, November 24, 2000 10:12 AM

< snip - original poster considering opening up port 25 in the firewall to
allow SMTP through >

> My Gut reaction is to tie down the destination IP address for 
> outgoing then just permit replies from the same external host 
> and probably proxy it too.  However, my colleague has also 
> asked if this could be allowed to all external hosts.  This 
> is the part that concerns me.

Me too :)

> So...the question is...1) permit or proxy

IMHO best method of doing this would be to allow SMTP from a single host
inside your firewall to a single host outside your firewall and vice versa,
as you suggest.  As far as your internal mailserver is concerned all remote
mail goes out to this SmartHost on the Net; and the MX records for your
domain on the Net send all email to the external mailserver, which has a
"static mail route" to send all email for your domain to your internal SMTP
server.

This also means the provider of the external SMTP server, which may be
yourself, the NHS, or your ISP, has to deal with all the mail relaying
issues - hopefully you can pass this on to someone else.

Proxying is a good idea but if memory serves there have been problems with
this on Cisco Pix, Checkpoint and even Borderware [1] ( best guess, see
securityfocus.com for confirmation ), you're best off not depending on it.
Personally I'd use a combination of packet filtering and host security
instead, especially if you're only allowing email to and from one host.

*Note* this does give you two problems:

ONE - external SMTP server is a single point of failure, but to my mind
that's a price worth paying for the security of this setup, YMMV.

TWO - you're partly dependant on the security of the external SMTP server
for the security of the internal SMTP server, so if the external SMTP server
belongs to a third party that might be a problem.

Apologies for vagueness, but I only know a little about the NHS security
setup and that's from experience a few years back, so I'm not sure of the
details that affect this.

I would expect your colleague's request for SMTP to "anywhere" probably
meant they wanted email, initially sent via SMTP, to go to anyone on the Net
- rather than they wanted to contact any SMTP server on the Internet
directly.

However if your colleague wants SMTP from any box that isn't the official
mailserver to any other mailserver on the Net, then alarm bells should be
ringing... sounds like someone using a personal email program that looks up
MX records and contacts the destination's mail server directly, or other
"personal" email use.

> and 2) what's the risks here

Anyone compromising your SMTP server has access to the internal LAN, and
immediately your mail system.

Sorry to be so blunt ( partly because my train is pulling into the station
:) but it really is that simple.  Of course if you just want *outbound* SMTP
with no inbound SMTP at all, that's a different matter.

Oh, and as always this is all my personal opinion and not that of my
employer, but I'm sure they'd have some good ideas too.

[1] Not the proxy in the case of Borderware, but the SMTP servers.  This was
some time ago though.

-- 
Nick Drage - Security Architecture - Demon Internet - Laptop

That which does not kill me,
can only make me bleed all over the floor.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards