Firewall Wizards mailing list archives
Re: SMTP forwarding question
From: Nagy Attila <bra () fsn hu>
Date: Thu, 30 Sep 2004 22:18:35 +0200
Marcus J. Ranum wrote:
I think the only thing why you think it's stupid is that I've left off an important information: the given company would be an ISP, which has a lot of problems about their users spamming and flooding the world with viruses.The problem: there is a network from which all outgoing SMTP connections should be handled by the company's mail gateway (virus and spam checking, etc) BUT the roaming users must be able to use their companies' SMTP server, possibly via SMTP AUTH (with or without starttls) and/or POP before SMTP (or any other solutions which work over tcp/25).First off, that's a stupid policy - fortunately it's not mine so I won't say any more about it than what I already have...
If the ISP blocks outgoing tcp/25, then all of its users who use other SMTP servers on the internet (for example mail.ispB.com with POP before SMTP or via SMTP AUTH) will not be able to use their server.
I am aware of the fact, that a clear policy should be that every user MUST send mail via mail.ispA.com, but as the Earth's shape is not exactly round, the users say that if they cannot send mail from their notebook from ISP A to ISP B (via authenticated SMTP) and it works from ISP C, then they will choose ISP C, not A.
That's the problem. If ISP A blocks outgoing SMTP, the users have to reconfigure their notebooks.
And users doesn't want this, instead they choose another ISP.
Could you name any product which can store some state about the current SMTP session, decide what are we talking about (authenticated SMTP to a foreign ISP or a simple mail to anyone in the world) and route the traffic either the local mail server or transparently to the original one?This could probably be done with the proxy transparency rules of some old-school firewalls, or with redirector rules in a load-balancer.
Man in the middle won't work here (if you think about authenticating anyone, regardless of their credentials, getting the message and sending it to the recipient), because some customers will (I know, for sure) send mail via their corporate authenticated and secured (TLS) SMTP server to non existant domains, or to email addresses which won't route the same as from their own SMTP server.You could achieve the same effect by blackhole-routing the targets to a subnet with a small box that could effectively man-in-the-middle proxy/NAT the traffic to its final destination. At the very least you want a good audit trail of what the enemy agents (excuse me, "roaming users") inside the enterprise are sending, and to whom.
A typical example would be that without a VPN, the user sends mail via mail.company.com from his/her ISP to john@company.intra.
This won't work if I get his message and also won't work if the MUA checks the server's certificate in case of a TLS session.
That's why I would like transparently let through authenticated and/or TLS sessions.
-- Attila Nagy e-mail: Attila.Nagy () fsn hu Free Software Network (FSN.HU) phone @work: +361 371 3536 ISOs: http://www.fsn.hu/?f=download cell.: +3630 306 6758 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- SMTP forwarding question Attila Nagy (Sep 30)
- Re: SMTP forwarding question Marcus J. Ranum (Sep 30)
- Re: SMTP forwarding question Nagy Attila (Sep 30)
- Re: SMTP forwarding question Jim Seymour (Sep 30)
- Re: SMTP forwarding question Devdas Bhagat (Sep 30)
- Re: SMTP forwarding question Marcus J. Ranum (Sep 30)