View previous topic :: View next topic |
Author |
Message |
pmidwest Just Arrived
Joined: 11 Dec 2002 Posts: 0
|
Posted: Wed Dec 11, 2002 10:35 pm Post subject: SMTP Exploits |
|
|
Dose anyone have or know where I can get info on securing port 25?
And or Microsoft Exchange 5.5?
In an earlier post I found this...
Quote: |
SMTP servers (esp. sendmail) are one of the favorite ways to break into systems because they must be exposed to the Internet as a whole and e-mail routing is complex (complexity + exposure = vulnerability). |
And I would like to get any info I can to point me in the right direction to getting this port as tight as possible.
Any help would be greatly appreciated.
Thanks in advance.
Paul
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Dec 12, 2002 12:09 am Post subject: |
|
|
Well I tend to keep 25 totally blocked and only allow internal hosts to use the SMTP server, if you have to give external mail access give it using SSL web-mail or if you must POP3.
If you really need to give external access to port 25 make sure whatever you are running is totally patched and up to date, preferably IP mask it to the ranges that need to use it.
If not authentication will do, or it will be an open relay.
Keep the mail server in a DMZ if you plan to give external access aswell.
|
|
Back to top |
|
|
pmidwest Just Arrived
Joined: 11 Dec 2002 Posts: 0
|
Posted: Thu Dec 12, 2002 12:17 am Post subject: |
|
|
Up until recently our parent company has ran the mail server for everyone and now we are setting up our own mail server. Now the IT manager assigned me to research this and get him any info that could result in our servers being insecure because of the change. I believe we have to use SMTP (25) because of Outlook 5.5? But you suggest just patching it up with everything Microsoft offers for it?
Anything else that we could do to keep it secure?
Thanks again
Paul
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Dec 12, 2002 12:20 am Post subject: |
|
|
Yeh but do you need to give access to the SMTP server over the Internet? That's not normal.
Every ISP provides you with an IP masked SMTP server for use while you are online with them.
That's what most people use.
You only need SMTP to relay to your ISP's smart host from your Internal network right?
And yeh patch to the max, if you are really worried about security don't use exchange, grab a copy of BSD or Slackware and stick Exim on there
|
|
Back to top |
|
|
pmidwest Just Arrived
Joined: 11 Dec 2002 Posts: 0
|
Posted: Thu Dec 12, 2002 12:26 am Post subject: |
|
|
I'm not too sure about any of this. I dont know the first thing about mail servers. could you explane in a little more detail? If you have time that is
Thanks
Paul
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Dec 12, 2002 12:32 am Post subject: |
|
|
pmidwest wrote: |
I'm not too sure about any of this. I dont know the first thing about mail servers. could you explane in a little more detail? If you have time that is
|
Heh, no offence but why did your boss ask you to do this?
If you find out some more info about the situation, perhaps read a little about e-mail servers, how they work, what you require and how your e-mail server is going to work you will be better equipped to ask questions.
When you have a clear idea of what you need and any problems the situation may cause please post back.
Cheers!
|
|
Back to top |
|
|
pmidwest Just Arrived
Joined: 11 Dec 2002 Posts: 0
|
Posted: Thu Dec 12, 2002 12:57 am Post subject: |
|
|
Yeah I know... but I've been searching the net all day and havent come across anything about the isp providing an IP masked SMTP. You got me all excited... I thought I was getting some where and then you shot me down Hehe... but its all good. I understand where your coming from. I'll just keep looking around
Thanks
Paul
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Dec 12, 2002 1:04 am Post subject: |
|
|
Well just find out from your boss what you need.
I'll give you an example..
Say I'm at home using dialupisp.com for my Internet access, even if I want to send mail from my work account I wont send via mail.work.com I'll send via smtp.dialupisp.com.
Every ISP provides SMTP access for it's users.
Generally you don't need to give external SMTP access, only POP3.
Keep reading
|
|
Back to top |
|
|
SecWiz Just Arrived
Joined: 03 Dec 2002 Posts: 0
|
Posted: Thu Dec 12, 2002 12:34 pm Post subject: SMTP and port 25 |
|
|
Hi Paul,
From what I can gather from the previous posts you are trying to set up your own mail server.
You will have to open port 25 to give access to the Exchange server. How else are you going to receive mail.
Yes, you can have an ISP "mailbag" your mail, but you still need to retrieve it. This was a popular solution for dialup connections. (or as a secondary host incase your primary server goes down)
You can't use authentication for SMTP, except if you collect mail from your ISP
Hope this makes sense,
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Dec 12, 2002 12:43 pm Post subject: |
|
|
Well yeh if you are setting the MX records for the domain to the IP of the Exchange box.
Not sure what the plan is though.
I'm sure Paul will enlighten us a little more
We still use a catch all POP box at the ISP end and retreive from there and send via a smart host.
Trying to replace it with something *nix based that doesn't require 300MB of memory to run
|
|
Back to top |
|
|
pmidwest Just Arrived
Joined: 11 Dec 2002 Posts: 0
|
Posted: Thu Dec 12, 2002 4:40 pm Post subject: |
|
|
You guys have been alot of help and I thank you.
I shared some of the info you gave me with my boss and from that we came up with a plan. I asked him if he had a book on Exchange and he said no but he was going to pick one up for me so I'm gunna be learning as much as I can with in the weeks to come and I will be able to ask some more questions with out sounding like a total retard.
Thank you again
Paul
PS. I'll be back
|
|
Back to top |
|
|
INFOSECNYC Just Arrived
Joined: 16 Oct 2002 Posts: 0 Location: Earth
|
|
Back to top |
|
|
|