Educause Security Discussion mailing list archives

Re: blocking port 25 at the border?

From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Thu, 23 Aug 2007 17:50:38 -0400

Do you regulate port 25 at the border? If so, what is your procedure for >

allowing an exception (for a legit email server)?

What administrative approvals were required at your institution before you >

could regulate port 25?

We don't regulate port 25 at the border. We've been scanning email sent to the
central email servers for virus/trojan horses/spam since 2001. We've
intercepted ~47 million inbound emails since then. Clearly, this is a
worthwhile

The security risk is an improperly configured email server and NOT the fact
that the email server exists. A lot of institutions throw up their hands
trying to "secure" campus email servers and pick the easy way out which is
"write a policy that restricts email servers".

There are a thousand reasons to allow email servers on campus. There is only 1
to restrict them - insecure systems allowing email services to be abused
(relays, spam, etc.). This single reason shouldn't be used except for repeated
offenses. Scanning for vulnerable email servers, providing
guidelines/checklists for proper configuration of email servers, user and
sysadmin awareness programs as a package provide adequate controls to the
misconfigured email server threat.

Why not restrict email servers? In times of crisis (we had one recently) or
cyber/virus attacks, central services can get overwhelmed. You might wind up
opening up email services to everyone on campus and discover that the world
didn't end :-). Workstation based email servers provide an out-of-band
communication channel. They may or may not be the official "registered" email
servers and in crisis mode, forcing mgt of email servers is time wasted. When
MyDoom hit us in 2004, it took 60 hours to clear the central email servers.
The responders used out-of-band email services to communicate with each other.

Just my .02.

        -Randy Marchany
        VA Tech IT Security Lab
        VA Tech
        Blacksburg, VA 24060
        540-231-9523
        marchany () vt edu
        http://security.vt.edu

Current thread:

blocking port 25 at the border? Bob Bayn (Aug 23)
- <Possible follow-ups>
- Re: blocking port 25 at the border? Mark Borrie (Aug 23)
- Re: blocking port 25 at the border? Gary Flynn (Aug 23)
- Re: blocking port 25 at the border? Randy Marchany (Aug 23)
- Re: blocking port 25 at the border? Gary Flynn (Aug 23)
- Re: blocking port 25 at the border? Dave Koontz (Aug 23)
- Re: blocking port 25 at the border? H. Morrow Long (Aug 23)
- Re: blocking port 25 at the border? Mark Borrie (Aug 23)
- Re: blocking port 25 at the border? Kenneth Arnold (Aug 23)
- Re: blocking port 25 at the border? Lutzen, Karl F. (Aug 23)
- Re: blocking port 25 at the border? Matthew Keller (Aug 23)
- Re: blocking port 25 at the border? Curt Wilson (Aug 24)