Re: Outbound SMTP

["Kreider, Randall G" <kreiderr () ETOWN EDU>]

Sorry...having a real bad day here...I'm hoping my first two questions
could be answered by Tim at Wellesley.

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kreider, Randall G
Sent: Friday, April 25, 2008 10:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outbound SMTP

 

Sorry for this post.  It was not meant to be sent to the group.  But
since it was, I thought I'd follow up with a few questions of my own.

 

Matt...how easy is it for you to make changes such as this without
seeking permission first.  I envy you a bit.  We struggle sometimes at
making some of what appear to be even most obvious changes.

 

Also for Matt...how many "exceptions" did you have to allow to pacify
users.

 

Lastly...for all...could you help me in describing some of the threats
to our institution if we did NOT do this?

Thanks in advance.

Randall Kreider

Elizabethtown College

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kreider, Randall G
Sent: Friday, April 25, 2008 10:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outbound SMTP

 

Steve,

 

I read through most of these responses and can agree with all of them.
This is not new information.  By leaving SMTP open outbound, we are
exposing our self to the opportunity for abuse.  Compromised machines
could be used to send emails out through known relays, or perhaps
through the machines default SMTP server.

 

The response below includes some interesting remarks.  One that I find
most interesting is "we never ask for permission".  I do not like their
approach though in that they blocked it for everyone and then opened it
up for those that squawked.  I would rather make a decision and stick to
it.

 

Blocking SMTP outbound would break anyone that has their machine
configured to route mail through an external SMTP server.  The response
that talks about relaying is not saying anything glamorous about
capturing and rerouting traffic.  They were simply saying that they
allow students to directly submit SMTP mail to their servers and then
relay it out for them.  We already do that.  Our recommended
configuration for POP or IMAP is to use smtp.etown.edu as the designated
SMTP server.

We've discussed this at a few meetings with Ron in the past.  This is
something we could put back on the list.  I've scrawled it on the board
for now.


Randall

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Cantin
Sent: Friday, April 25, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outbound SMTP

 

Matt,

 

I would strongly suggest implementing that rule at your perimeter
firewall!

 

We block all smtp traffic except to/from known hosts. So we allow our
own central mail servers of course, a handful of trusted local entities
(i.e. CS's mail server and several others), and just a few outside sites
for convenience on request (i.e. Comcast.net). 

 

We never asked permission, we just did it. A handful of knowledgeable
people squawked, and we opened access for their particular needs.

 

Since then we haven't received a single complaint from the outside about
spam originating from our site. 

 

In addition, since that rule went into effect we have also implemented
Cisco Clean Access for every desktop on campus (students, faculty, and
staff alike). We enforce Windows updates and anti-virus installed &
updated. Yeh it was a little expensive, but it literally eliminated
viruses on user desktops, a condition which was causing vast hours and
hours of work from our Helpdesk to assist users in cleaning up their
computers. It was a fantastic return on investment, though now our users
have to try a little harder to stay on the network - which not all of
them are thrilled about. IMHO they should've been doing this right
along, of course. If you can't afford a full implementation, consider
phasing it in over time. We put our residence halls on it one summer,
and then the rest of the campus the next summer thereby splitting the
cost across two fiscal years. 

 

Good luck!

 

-Tim

 

---

Tim Cantin, Senior Network Engineer

Wellesley College, IS/Technology Infrastructure Group

223 Simpson Hall East, 106 Central Street
Wellesley, Massachusetts 02481-8203
http://www.wellesley.edu/~tcantin/
<BLOCKED::http://www.wellesley.edu/~tcantin/> 
phone: (781)283-3520 fax: (781)283-3682 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
Sent: Friday, April 25, 2008 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Outbound SMTP

 

I am curious how many other schools block outbound SMTP, and if so from
which or all networks?

 

We currently still allow it; however, I see very few legit connections.
Usually once a week I find another student who has become malware
infected, and have to  shut them off until they can prove their computer
is clean (unfortunately we don't have a true NAC as budget does not
allow).

 

The biggest problem is wireless users.  I can block MAC addresses,
however this ends up taking a lot of time from start to finish (by the
time I login to WCS, push the policy to all the controllers, document
it, notify our helpdesk team for the incoming phone call they will get,
then all those steps in reverse when the computer is cleaned).

 

I have been considering approaching management to just block all port 25
traffic.  My holdback is that I feel bad for anyone that has their own
domain somewhere and sends mail through it.  We do not allow students to
relay SMTP mail through our mail servers.

 

Thoughts?  Thanks for your input,

 

Matt

 

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>