Firewall Wizards mailing list archives
Re: SMTP forwarding question
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 01 Oct 2004 06:56:23 -0400
Nagy Attila wrote:
I think the only thing why you think it's stupid is that I've left off an important information: the given company would be an ISP
Yeah, that's a MINOR detail because it subsumes a lot of information about the number of "roaming users", etc. Are you familiar with the expression "garbage in, garbage out"? If you leave important tidbits like that for us to guess at, our answers are going to show the results of such errors of scale.
If the ISP blocks outgoing tcp/25, then all of its users who use other SMTP servers on the internet (for example mail.ispB.com with POP before SMTP or via SMTP AUTH) will not be able to use their server.
Well, yeah.
I am aware of the fact, that a clear policy should be that every user MUST send mail via mail.ispA.com, but as the Earth's shape is not exactly round, the users say that if they cannot send mail from their notebook from ISP A to ISP B (via authenticated SMTP) and it works from ISP C, then they will choose ISP C, not A.
Since you're talking an ISP, you also have scaling issues but you're able to "own" the solution. In a sense, ISPs are in the solutions business. I think a not-unreasonable approach would be to write a proxy that proxies forward authenticated SMTP but captures and proxy-scans unauthenticated SMTP. It's not a lot of complex code, to do that. Put it in the outbound path and NAT all port 25 to it and let it do its thing.
Could you name any product which can store some state about the current SMTP session, decide what are we talking about (authenticated SMTP to a foreign ISP or a simple mail to anyone in the world) and route the traffic either the local mail server or transparently to the original one?
The C programming language can do it. :) You're looking at maybe a day to configure the NAT/loadbalance rules to make it work, and a day or 2 to code up the switching proxy. This is not rocket science. What on earth would you want to pay good money for a product to do something so simple? OH! WAIT! Yes, I have such a product right here!!! It's designed for ISP use, and it costs only $400,000... ;) Let me know if you want a copy - it comes with con$ulting for set-up and there's a 3-month lead-time on it. ;) It's called, the, uhhhh... "SMTP SWITCH"(tm) ;)
Man in the middle won't work here (if you think about authenticating anyone, regardless of their credentials, getting the message and sending it to the recipient)
It doesn't have to - you MITM the authentication between the client and THEIR server. So if THEIR server says it's OK then let it rip. If it's in the clear, you're good to go. If it's encrypted then you've got to let the crypto through anyhow (or not) that's a policy choice. You might be able to do this even with encrypted communications if the traffic follows a sufficiently distinctive pattern....
because some customers will (I know, for sure) send mail via their corporate authenticated and secured (TLS) SMTP server to non existant domains, or to email addresses which won't route the same as from their own SMTP server.
Somehow, Gauntlet firewall, Cyberguard firewall, Raptor firewall, and others all managed to solve this problem. ;) mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SMTP forwarding question Devdas Bhagat (Sep 30)
- <Possible follow-ups>
- Re: SMTP forwarding question Jim Seymour (Sep 30)
- Re: SMTP forwarding question Marcus J. Ranum (Oct 01)