Re: SMTP service on Cisco VPN Concentrator

["Rony Romero" <romerorony () cantv net>]

Hi rick I hope that this can help you
Best regards,
Rony

WebVPN | E-Mail Proxy
This screen lets you configure e-mail proxies for WebVPN. They include 
IMAP4S, POP3S, and SMTPS. WebVPN e-mail proxy has requirements in addition 
to the configuration parameters on this screen. These include:

 a.. Users who access e-mail from both local and remote locations via 
e-mail proxy require separate e-mail accounts on their e-mail program for 
local and remote access.

 b.. When users attempt an e-mail session via e-mail proxy, the e-mail 
client establishes a tunnel using the SSL protocol, and then requires that 
the user authenticate.

Screen Elements
 a.. VPN Name Delimiter -- Use the drop-down menu to select a delimiter 
that separates the VPN username from the e-mail username. Users need both 
usernames when using Concentrator authentication for e-mail proxy and the 
VPN username and e-mail username are different. Users enter both usernames, 
separated by the delimiter you configure here, and also the e-mail server 
name, when they log in to an e-mail proxy session.

 Note     Passwords for WebVPN e-mail proxy users cannot contain characters 
that are used as delimiters.

 b.. Server Delimiter -- Use the drop-down menu to select a delimiter that 
separates the username from the name of the e-mail server. It must be 
different from the VPN Name Delimiter. Users enter both their username and 
server in the username field when they log in to an e-mail proxy session.

 For example, using : as the VPN Name Delimiter and @ as the Server 
Delimiter, when logging in to an e-mail program via e-mail proxy, the user 
would enter their username in the format vpn_name:e-mail_name@server.

 c.. E-Mail Protocol -- WebVPN supports three e-mail proxies: POP3S and 
IMAP4S for receiving e-mail, and SMPTS for sending e-mail.

 Note     To use these e-mail proxies, you must also allow these session 
types on the appropriate VPN Concentrator interface (Configuration | 
Interfaces | Ethernet | WebVPN Tab).

   a.. POP3S -- POP3S is one of the e-mail proxies WebVPN supports. By 
default the VPN Concentrator listens to port 995, and connection are 
automatically allowed to port 995 or to the configured port. The POP3 proxy 
allows only SSL connections on that port. After the SSL tunnel establishes, 
the POP3 protocol starts, and then authentication occurs.

   b.. IMAP4S -- IMAP4S is one of the e-mail proxies WebVPN supports. By 
default the VPN Concentrator listens to port 993, and connection are 
automatically allowed to port 993 or to the configured port. The IMAP4 proxy 
allows only SSL connections on that port. After the SSL tunnel establishes, 
the IMAP4 protocol starts, and then authentication occurs.

   c.. SMTPS -- SMTPS is one of the e-mail proxies WebVPN supports. By 
default the VPN Concentrator listens to port 988, and connection are 
automatically allowed to port 988 or to the configured port. The SMTPS proxy 
allows only SSL connections on that port. After the SSL tunnel establishes, 
the SMTPS protocol starts, and then authentication occurs.

   SMTPS is the only one of these e-mail proxies that lets you send e-mail.

 d.. VPN Concentrator Port -- Identifies the port on the VPN Concentrator 
that each e-mail proxy uses. You can change the port for any or all of the 
e-mail proxies. Be aware that the remote PC in a WebVPN connection may be 
using different ports for e-mail proxy traffic than the ports you configure 
for the VPN Concentrator.

 e.. Default E-Mail Server -- Enter the name or IP address of the default 
server for the e-mail proxy you are configuring.

 f.. Authentication Required -- Each e-mail proxy has several different 
method that you can use to authenticate users. You can require them either 
singly or in combination, but you must configure at least one authentication 
method for an e-mail protocol.

 g.. E-Mail Server -- Mail server authentication requires only the user's 
e-mail username, server and password. IMAP4S and POP3S both require mail 
server authentication; you cannot uncheck these boxes.

 h.. Concentrator -- Concentrator authentication authenticates the e-mail 
session by using its configured authentication servers. The user presents a 
username, server and password. Users must present both the VPN username and 
the e-mail username, separated by the VPN Name Delimiter, only if the 
usernames are different from each other.

 i.. Piggyback HTTPS -- This authentication scheme requires a user to have 
already established a WebVPN session. The user presents an e-mail username 
only. No password is required. Users must present both the VPN username and 
the e-mail username, separated by the VPN Name Delimiter, only if the 
usernames are different from each other.

 SMPTS e-mail most often uses piggyback authentication because most SMTP 
servers do not allow users to log in.

 See Piggyback HTTPS and IMAP Sessions below.

 j.. Certificate -- Certificate authentication requires that users have a 
certificate that the VPN Concentrator can validate during SSL negotiation. 
You can use ertificate authentication as the only method of authentication, 
for SMTPS proxy. Other e-mail proxies require two authentication methods.

 Certificate authentication requires three certificates, all from the same 
CA:

   a.. A CA certificate on the VPN Concentrator

   b.. A CA certificate on the client PC

   c.. A Web Browser certificate on the client PC, sometimes called a 
Personal certificate or a Web Browser certificate.

 E-mail proxy with certificate authentication does not work with Internet 
Explorer (IE). It does work with Netscape (Cisco tested using version 7.1), 
and with Mozilla (Cisco tested using version 1.2.1).

 See How to Request and Install Certificates below.

 k.. Apply -- Click to apply your E-mail settings, and to include your 
settings in the active configuration. The Manager returns to the 
Configuration | Tunneling and Security | WebVPN screen.

 l.. Cancel -- Click to discard your settings. The Manager returns to the 
Configuration | Tunneling and Security | WebVPN screen.

Piggyback HTTPS and IMAP Sessions
IMAP generates a number of sessions that are not limited by the simultaneous 
user count but do count against the number of simultaneous logins allowed 
for a username. If the number of IMAP sessions exceeds this maximum and the 
WebVPN connection expires, a user cannot subsequently establish a new 
connection.

There are several solutions:

 a.. The user can close the IMAP application to clear the sessions with the 
VPN Concentrator, and then establish a new WebVPN connection.

 b.. The administrator can increase the simultaneous logins for IMAP users 
(Configuration | User Management | Base Group/Groups/Users | General Tab.

 c.. Disable HTTPS/Piggyback authentication for e-mail proxy.

How to Request and Install Certificates
The following steps show you how to request and install certificates. For 
complete instructions on enrolling and installing CA certificates, see the 
Certificate Management chapter in Volume II: Administration and Monitoring.

 1.. If the VPN Concentrator does not already have a CA certificate 
installed, install a CA certificate.

 a.. The CA must be the same one that you are using to issue the CA and Web 
Browser certificates on the client PC.

   a.. The certificate must be base-64 encoded.

   b.. Use a Netscape or Mozilla browser to install the CA certificate, If 
you use IE, the certificate downloads to the IE Crypto Application Program 
Interface (CAPI); it must be in the CAPI for the browser you are actually 
using.

 1.. Open the certificate using the Netscape or Mozilla Certificate Manager 
before importing it onto the VPN Concentrator.

 2.. In the Downloading Certificates screen, make sure that the CA is 
trusted to identify websites and e-mail users (trusting software developers 
is optional). Alternatively, when the CA certificate has been loaded onto 
the concentrator, check the details of the certificate to ensure these 
trusted attributes are enabled.

 3.. On the client PC, use a Netscape or Mozilla browser to request a CA 
certificate from the same certificate authority.

 4.. On the client PC, request a Personal or Web Browser certificate from 
the same certificate authority. Complete the fields on the request form as 
follows:

   a.. The certificate request must be for a Web Browser or Personal 
Certificate, not an E-mail Protection Certificate.

   E-mail protection certificates are not for SSL connections; they are for 
encrypting and sending e-mail. Web Browser certificates protect the e-mail 
session over SSL.

   b.. Name = account name, for example, JohnDoe.

   c.. E-Mail = e-mail address being authenticated, for example, 
JohnDoe () myMail com.

   d.. Key strength Cisco tested = 1024; any of the choices should work.

   e.. Password is optional, and applies only to the certificate for export 
purposes.

 5.. When the certificate is generated, choose Install Certificate. In some 
cases, the CAs installs it automatically.

 6.. To verify that the certificate is installed, use the Netscape 
Certificate Management application. The path is Edit > Preferences > Privacy 
and Security > Certificates > Manage Certificates > Your Certificates.

 7.. On the Configuration | Tunneling and Security | WebVPN | E-Mail Proxy 
screen, for Authentication Required, select E-Mail Server and Certificate.



----- Original Message ----- 
From: "Rick Zhong" <sagiko () gmail com>
To: <pen-test () securityfocus com>
Sent: Thursday, March 30, 2006 4:01 AM
Subject: SMTP service on Cisco VPN Concentrator


> Hi,
> I was carrying out a pen-test on a Cisco VPN Concentrator (3000),
> nessus 3.0 scan discovered a number of mail-related ports such as SMTP
> at 988, imaps at 993 and https at 443.  I try to telnet to the port
> 988 to verify but cannot get anything even a banner.
>
> Initially i considered this as false positive, but after some search
> on google,  it seems Cisco VPN Concentrator do has some smtp proxy at
> port 988 and imaps services.   I cannot find any other traces of these
> smtp ports besides the nessus report.
>
> Is there anyone has more information on these smtp proxy services on
> Cisco VPN concentrator (3000)? Any known security issues with these
> services on? Thanks.
>
> regards,
> Rick Zhong
>
> www.sinfosec.org
> www.security.org.sg
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to 
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic 
> Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/forms/ec.php?pubid=10025
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com
> ------------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------