Firewall Wizards mailing list archives
Re: Permit or Proxy - SMTP
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Fri, 24 Nov 2000 14:31:45 -0500
On Fri, Nov 24, 2000 at 10:10:48AM +0000, Craig.Martin () faht scot nhs uk wrote:
I've just received a request from a colleague that looks after our exchange server. Currently I have port 102 opened up to allow x.400 mail to be sent to a relay host. But, the new request has asked for port 25 (smtp) to be opened up. I'm a bit concerned about this and was wondering if anyone could (roughly) give some advice on the pitfalls in doing so. My Gut reaction is to tie down the destination IP address for outgoing then just permit replies from the same external host and probably proxy it too. However, my colleague has also asked if this could be allowed to all external hosts. This is the part that concerns me. So...the question is...1) permit or proxy and 2) what's the risks here
This is a pretty standard thing to do. You should have a proxy on your firewall for SMTP already, that you can enable. If, as you imply, you have one internal and one external SMTP server, then you can configure the proxy to allow SMTP between those two only. However, this would be an unusual configuration (to have one inside and one outside). Usually, an SMTP proxy must be configured to allow incoming e-mail from anywhere and outgoing e-mail to anywhere. Your SMTP proxy must be configured NOT to allow e-mail from the outside to the outside, or else it will likely be found by spammers and used as a third-party relay. Even more likely, it will be put in one of the popular SPAM-prevention databases and shunned. Most SMTP proxies can further be configured to use one of said popular SPAM-prevention databases, to shun any e-mail that might remotely be SPAM; but I would only do that if I knew I had a SPAM problem. All it takes is one false positive rejection to or from a Very Important Person Indeed ... ;-) Some SMTP proxies also have a hook to allow examining incoming and outgoing e-mail for various active content that migh host malicious code. If you enable this, be sure NOT to let your users think that this in any way relieves them of the responsibility to do virus-checking at the desktops. This may require underselling the virtues of the SMTP virus-scanning software. As all virus-scanning software is imperfect, anyway, this should not be a problem. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Permit or Proxy - SMTP Craig . Martin (Nov 25)
- Re: Permit or Proxy - SMTP Joseph S D Yao (Nov 26)