Educause Security Discussion mailing list archives
Re: Outbound SMTP
From: "Kreider, Randall G" <kreiderr () ETOWN EDU>
Date: Fri, 25 Apr 2008 11:00:13 -0400
Sorry...having a real bad day here...I'm hoping my first two questions could be answered by Tim at Wellesley. ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kreider, Randall G Sent: Friday, April 25, 2008 10:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outbound SMTP Sorry for this post. It was not meant to be sent to the group. But since it was, I thought I'd follow up with a few questions of my own. Matt...how easy is it for you to make changes such as this without seeking permission first. I envy you a bit. We struggle sometimes at making some of what appear to be even most obvious changes. Also for Matt...how many "exceptions" did you have to allow to pacify users. Lastly...for all...could you help me in describing some of the threats to our institution if we did NOT do this? Thanks in advance. Randall Kreider Elizabethtown College ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kreider, Randall G Sent: Friday, April 25, 2008 10:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outbound SMTP Steve, I read through most of these responses and can agree with all of them. This is not new information. By leaving SMTP open outbound, we are exposing our self to the opportunity for abuse. Compromised machines could be used to send emails out through known relays, or perhaps through the machines default SMTP server. The response below includes some interesting remarks. One that I find most interesting is "we never ask for permission". I do not like their approach though in that they blocked it for everyone and then opened it up for those that squawked. I would rather make a decision and stick to it. Blocking SMTP outbound would break anyone that has their machine configured to route mail through an external SMTP server. The response that talks about relaying is not saying anything glamorous about capturing and rerouting traffic. They were simply saying that they allow students to directly submit SMTP mail to their servers and then relay it out for them. We already do that. Our recommended configuration for POP or IMAP is to use smtp.etown.edu as the designated SMTP server. We've discussed this at a few meetings with Ron in the past. This is something we could put back on the list. I've scrawled it on the board for now. Randall ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Cantin Sent: Friday, April 25, 2008 9:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outbound SMTP Matt, I would strongly suggest implementing that rule at your perimeter firewall! We block all smtp traffic except to/from known hosts. So we allow our own central mail servers of course, a handful of trusted local entities (i.e. CS's mail server and several others), and just a few outside sites for convenience on request (i.e. Comcast.net). We never asked permission, we just did it. A handful of knowledgeable people squawked, and we opened access for their particular needs. Since then we haven't received a single complaint from the outside about spam originating from our site. In addition, since that rule went into effect we have also implemented Cisco Clean Access for every desktop on campus (students, faculty, and staff alike). We enforce Windows updates and anti-virus installed & updated. Yeh it was a little expensive, but it literally eliminated viruses on user desktops, a condition which was causing vast hours and hours of work from our Helpdesk to assist users in cleaning up their computers. It was a fantastic return on investment, though now our users have to try a little harder to stay on the network - which not all of them are thrilled about. IMHO they should've been doing this right along, of course. If you can't afford a full implementation, consider phasing it in over time. We put our residence halls on it one summer, and then the rest of the campus the next summer thereby splitting the cost across two fiscal years. Good luck! -Tim --- Tim Cantin, Senior Network Engineer Wellesley College, IS/Technology Infrastructure Group 223 Simpson Hall East, 106 Central Street Wellesley, Massachusetts 02481-8203 http://www.wellesley.edu/~tcantin/ <BLOCKED::http://www.wellesley.edu/~tcantin/> phone: (781)283-3520 fax: (781)283-3682 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Friday, April 25, 2008 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Outbound SMTP I am curious how many other schools block outbound SMTP, and if so from which or all networks? We currently still allow it; however, I see very few legit connections. Usually once a week I find another student who has become malware infected, and have to shut them off until they can prove their computer is clean (unfortunately we don't have a true NAC as budget does not allow). The biggest problem is wireless users. I can block MAC addresses, however this ends up taking a lot of time from start to finish (by the time I login to WCS, push the policy to all the controllers, document it, notify our helpdesk team for the incoming phone call they will get, then all those steps in reverse when the computer is cleaned). I have been considering approaching management to just block all port 25 traffic. My holdback is that I feel bad for anyone that has their own domain somewhere and sends mail through it. We do not allow students to relay SMTP mail through our mail servers. Thoughts? Thanks for your input, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>
Current thread:
- Re: Outbound SMTP, (continued)
- Re: Outbound SMTP Dan Oachs (Apr 25)
- Re: Outbound SMTP Morrow Long (Apr 25)
- Re: Outbound SMTP Tim Cantin (Apr 25)
- Re: Outbound SMTP Kenneth Arnold (Apr 25)
- Re: Outbound SMTP Halliday,Paul (Apr 25)
- Re: Outbound SMTP Gary Flynn (Apr 25)
- Re: Outbound SMTP Childs, Aaron (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Barros, Jacob (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Kreider, Randall G (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Tim Cantin (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Joey Rego (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Basgen, Brian (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
(Thread continues...)