RE: POP vs IMAP vs MAPI - security through firewalls?

[Ben Nagy <ben.nagy () marconi com au>]

You might like this link:
http://www.microsoft.com/ISN/faq/ports_used_nt_and_exchange.asp

To summarise:
- I don't think any M$ stuff uses port 136 for anything at all.
- I don't think any M$ stuff uses 137/138 _TCP_ for anything. UDP is used on
these ports for all sorts of nasty, NASTY stuff that a) has nothing to do
with getting mail to work and b) is BAD to pass through a firewall.
- I can't see any reason why you'd want port 139 TCP to work, either, but I
could be wrong.

AFAIK, you _should_ only need to open port 135 for RPC and some dynamic
ports, ala KB article Q270836. This may be where they get 50000 etc, but the
recommended range is 1024 - 5000, so who _knows_ what's going on.

That doesn't help you with your security comparision, though, sorry. I
wasn't aware that _any_ of those protocols were "secure" - they're all
cleartext, for a start. 

Since all the TCP connections are _supposed_ to come from the inside
outwards, though, I don't see _too_ much exposure from the protocol level.
It's a matter of guessing which implementation is most likely to be buggy, I
suppose. Toss a (three sided) coin?

(Neater solution: Run a Citrix box outside the firewall, run the ICA client
on your SUNs and then use Citrix sessions to read mail. Solves two problems
at once.)

Cheers,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304

> -----Original Message-----
> From: Joseph S D Yao [mailto:jsdy () cospo osis gov]
> Sent: Friday, 23 February 2001 8:36 
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] POP vs IMAP vs MAPI - security through firewalls?
>
>
> Recently, one of our firewalled sites (hosted at a military base) was
> directed that they had to stand down their internal mail 
> server and use
> the external base mail server.  This being the US military, this will
> be an MS Exchange server, and the people inside the firewall are being
> directed to use MS Outlook.  [How this will run on their Suns I don't
> know, but that's not my problem.]
>
> They were told they had to use MS MAPI to read the mail, and so they
> would have to open TCP ports 135-139, 50000, 50001, and perhaps others
> to be named later.  They were also told that MAPI must be used because
> it is "slightly more secure" than POP3 or IMAP4.
>
> The firewall is proxying-only, which of course means 
> TCP-only.  I'm not
> familiar with MAPI, and of course there is no RFC describing 
> it, or any
> publicly available documentation of which I'm aware.
>
> Is anyone aware of any verifiable security testing that's been done on
> MAPI?  Is it in fact "more secure" than POP3 and IMAP4?  You needn't
> tell me that the latter two have security vulnerabilities - I've heard
> this - but details would help [I haven't collected those], 
> and if there
> is a comparison to MAPI that would be so much the better.  Is 
> MAPI that
> much better?  [It had better be, to use up 7+ ports!  ;-(]
>
> Are there any reliable proxies for any of these protocols?
>
> Thank you!
>
> -- 
> Joe Yao                               jsdy () cospo osis gov - 
> Joseph S. D. Yao
> COSPO/OSIS Computer Support                                   EMT-B
> --------------------------------------------------------------
> ---------
> This message is not an official statement of COSPO policies.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards