>hmmm..so there really isn't a chance of actually locking down too many ports
>in NT.
Not so, actually. The key is *incoming* versus *outgoing*.
Each TCP/IP (and UDP) connection has a client side port number, and a
remote port number. When another mail server connects to yours, yours is
the server (using port 25) and theirs is the client (using some unknown port).
In order to run a server, you must allow incoming packets no matter what
the client-side port is. You have to allow all 65,536 different possible
ports. Otherwise, either will randomly fail (if you block some), or never
be reachable (if you block all).
Port block is very effective. For an IMail server just being used for SMTP
and POP3, you could have the firewall block all incoming traffic to all
ports except 25 and 110. This would prevent anyone from connecting to the
IMail server on any port except 25 or 110. They will be using some random
port on their end, but that doesn't matter. IMail will work fine, because
the firewall isn't blocking outgoing traffic (it can send to any port on
any computer).
If you were worried that there might be rogue applications on the IMail
server, you could have the firewall also block outgoing traffic to all but
port 25 and port 53 (DNS). That should handle IMail's needs.
You don't have to worry at all about ports 1024 and above (except the ones
you may actually be using, such as 8383 for IMail web messaging). The
firewall handles that for you.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/