> -----Original Message----- > From: Harry Whitehouse [mailto:[EMAIL PROTECTED]] > Sent: Friday, 8 September 2000 9:05 AM > To: [EMAIL PROTECTED] > Subject: SMTP Secuirty > > > I'm protecting a very small and specialized network. The ONLY > traffic I > permit is HTTP (80), SSL (443), and SMTP traffic. This > traffic is allowed > to access only a few servers on the inside (NAT is used). A > PIX 520 serves > as the firewall. > > Our mail server is OUTSIDE of our protected network, and > that's why I have > permitted SMTP traffic from some INSIDE clients on my PIX > 520. Usually, mail clients don't collect mail using SMTP. This model is good for sending outbound mail (internal clients relay through a secure SMTP server) but not so great for receiving mail. You could either allow S/POP or POP over SSH or some similar thing from inside clients to your secure server, OR you could add another secure mail server to the internal network and allow your outside mail server to relay to the inside one. > The vast > majority of the email traffic will be outbound -- the clients > send automated > email confirming various transactions that might occur. > However, it is > possible that mail will be sent to these clients (perhaps > never read, but > nonetheless sent). > > Can you folks comment on the security issues associated with > allowing SMTP > on this specialized network? I realize there would be a > threat if someone > opened an email on the client which had a malicious > attachment. But what > other attacks am I open to when I allow SMTP traffic? Don't allow attachments, unless you need them for your business model. I'd just love to give people text-only mail clients, if I could get away with it. If you must use a "Break me!" client like Outlook, make sure you apply the security patches and set the "zone" for incoming mail to "Restricted Sites" etc etc. I think I like the relaying model best because SMTP is well understood and doesn't require any user accounts on the external server. You could use qmail or Postfix for the external server (and the Internal one, for that matter) which both have good reputations as a stripped down, secure mail server. Don't forget - crypto is your friend. If you're using email as part of your business process you should make sure that you use PGP / GPG / S/MIME or something that allows for strong authentication and confidentiality (if required). > > TIA > > Harry > Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
