Educause Security Discussion mailing list archives
Re: Blocking port 25 outbound
From: Information Security <infosecurity () UTPA EDU>
Date: Mon, 22 Aug 2005 15:24:02 -0500
Michael Grinnell wrote:
Also, it helps to set up SMTP AUTH first. That way, your users can set their email programs to always use your outbound mail server, and they won't have to keep changing their outbound mail server when they move on and off campus.
agreed, although an alternative trick is to have a split DNS. You can have thousands of hosts with proper names in your internal DNS but just a key few visible to the world, such as "www", "mail", "smtp", etc. (Bind 9 does this quite easily. Dunno about other DNS servers.) anyway the trick there is that 1) you use a different name for MX hosts than you do for machines which your clients connect to (eg incoming MX points to "spamfilter.univ.edu" but clients send SMTP mail through "smtp.univ.edu") 2) you have a SMTP host for 'outside' clients which has the same name as for inside, but which insists on SMTP AUTH whereas the internal one takes connections from anyone with a valid IP in your own subnets. (i.e internal IPs see the open server as "smtp.univ.edu" but external hosts see the auth-configured server when they access that name) [And yes, you can configure one server to do both roles; I'm just a big believer in keeping functions separate; especially when you can trivially configure a "user mode linux" virtual server to take on a lightweight role like an smtp-auth server which won't get much load - keeping them separate simplifies configuration tremendously] 3) You block access from off-campus to all SMTP servers *except* your MX hosts for incoming mail, and your SMTP AUTH server for outgoing mail from your road warriors. G
Current thread:
- Blocking port 25 outbound Lazor, Joseph (Aug 22)
- <Possible follow-ups>
- Re: Blocking port 25 outbound Aaron Childs (Aug 22)
- Re: Blocking port 25 outbound Liliana Moisa (Aug 22)
- Re: Blocking port 25 outbound Randy Marchany (Aug 22)
- Re: Blocking port 25 outbound CHARLES MORROW-JONES (Aug 22)
- Re: Blocking port 25 outbound Michael Grinnell (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Halm (Aug 22)
- Re: Blocking port 25 outbound Joe St Sauver (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Trevor J Corbett (Aug 22)
- Re: Blocking port 25 outbound Christopher E. Cramer (Aug 22)
- Re: Blocking port 25 outbound Jason Richardson (Aug 22)
- Re: Blocking port 25 outbound Scott Genung (Aug 22)
- Re: Blocking port 25 outbound Matthew Keller (Aug 22)
- Re: Blocking port 25 outbound Information Security (Aug 22)
- Re: Blocking port 25 outbound Michael Sinatra (Aug 22)
- Re: Blocking port 25 outbound John Kristoff (Aug 22)
- Re: Blocking port 25 outbound Chris Steele (Aug 22)
(Thread continues...)