Re: SMTP forwarding question

["Marcus J. Ranum" <mjr () ranum com>]

Nagy Attila wrote:
> I think the only thing why you think it's stupid is that I've left off an important information:
> the given company would be an ISP

Yeah, that's a MINOR detail because it subsumes a lot of information
about the number of "roaming users", etc. Are you familiar with the
expression "garbage in, garbage out"?  If you leave important tidbits
like that for us to guess at, our answers are going to show the results
of such errors of scale.

> If the ISP blocks outgoing tcp/25, then all of its users who use other SMTP servers on the internet (for example 
> mail.ispB.com with POP before SMTP or via SMTP AUTH) will not be able to use their server.

Well, yeah.

> I am aware of the fact, that a clear policy should be that every user MUST send mail via mail.ispA.com, but as the 
> Earth's shape is not exactly round, the users say that if they cannot send mail from their notebook from ISP A to ISP 
> B (via authenticated SMTP) and it works from ISP C, then they will choose ISP C, not A.

Since you're talking an ISP, you also have scaling issues but
you're able to "own" the solution. In a sense, ISPs are in the
solutions business. I think a not-unreasonable approach would
be to write a proxy that proxies forward authenticated SMTP
but captures and proxy-scans unauthenticated SMTP. It's
not a lot of complex code, to do that. Put it in the outbound
path and NAT all port 25 to it and let it do its thing.

> Could you name any product which can store some state about the current SMTP session, decide what are we talking about 
> (authenticated SMTP to a foreign ISP or a simple mail to anyone in the world) and route the traffic either the local 
> mail server or transparently to the original one?

The C programming language can do it. :) You're looking at maybe
a day to configure the NAT/loadbalance rules to make it work,
and a day or 2 to code up the switching proxy. This is not rocket
science. What on earth would you want to pay good money for
a product to do something so simple?   OH! WAIT! Yes, I have
such a product right here!!! It's designed for ISP use, and it costs
only $400,000... ;) Let me know if you want a copy - it comes
with con$ulting for set-up and there's a 3-month lead-time on it. ;)
It's called, the, uhhhh...  "SMTP SWITCH"(tm)      ;)

> Man in the middle won't work here (if you think about authenticating anyone, regardless of their credentials, getting 
> the message and sending it to the recipient)

It doesn't have to - you MITM the authentication between the client
and THEIR server. So if THEIR server says it's OK then let it rip.
If it's in the clear, you're good to go. If it's encrypted then you've got
to let the crypto through anyhow (or not) that's a policy choice. You
might be able to do this even with encrypted communications if
the traffic follows a sufficiently distinctive pattern....

> because some customers will (I know, for sure) send mail via their corporate authenticated and secured (TLS) SMTP 
> server to non existant domains, or to email addresses which won't route the same as from their own SMTP server.

Somehow, Gauntlet firewall, Cyberguard firewall, Raptor firewall, and
others all managed to solve this problem. ;)

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards