|
One possibility I have not heard discussed would be to write a wrapper that can distinguish the difference between protocol messages sent by an SMTP program and a person composing them at a Telnet prompt. The former would likely arrive as a single packet per protocal message, while the latter would likely arrive as a single character per packet (Telnet generally does not buffer lines). Another option might be to send back a Telnet control/negotiation message - an SMTP program would likely ignore it, while a Telnet program would respond. I havent tried either of these approaches, but think they would detect most user attempts to spoof SMTP using Telnet.
- Randy Smith
----Original Message----- >From: Paul D. Robertson [SMTP:[EMAIL PROTECTED]] >To: [SMTP:[EMAIL PROTECTED]] >Cc: [EMAIL PROTECTED] >Subj: RE: Restrict telnet to port 25 via firewall. >Sent: Monday, March 25, 2002 3:38 AM > >On Mon, 25 Mar 2002, Navin Mehra/MUM/IN/STTL wrote: > >> Date: Mon, 25 Mar 2002 14:25:35 +0530 >> From: Navin Mehra/MUM/IN/STTL <[EMAIL PROTECTED]> >> To: Madhur Nanda <[EMAIL PROTECTED]> >> Cc: [EMAIL PROTECTED] >> Subject: RE: Restrict telnet to port 25 via firewall. >> >> >> Thanks for the feedback. >> But the problem is anybody can compose a mail, via telneting to port 25. > >Mail is spoofable. That's a flaw in the protocol. Telnet isn't the only >way to spoof mail. > >> and then impersonatting the person can send a mail on his behalf. Can i >> enable any sort or authorisation on the pix firewall or is there a setting >> in the Lotus Notes server R5. > >If you want the machine to receive mail from the Internet, the best you >can do is to ensure it's not an open relay. As mentioned, there are >client-side mail integrity solutions like S/MIME and PGP/GPG. > >If you're relying on SMTP for authenticity, you need to either switch >mechanisms or add client-side validation, or accept the fact that the >protocol has major flaws. > >Paul >----------------------------------------------------------------------------- >Paul D. Robertson "My statements in this message are personal opinions >[EMAIL PROTECTED] which may have no basis whatsoever in fact." > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls >
|
- RE: unsubscribe Brad Martin
- Re: Restrict telnet to port 25 via firewall. Devdas Bhagat
- RE: Restrict telnet to port 25 via firewall. David Ishmael
- RE: Restrict telnet to port 25 via firewall. Paul Robertson
- RE: Restrict telnet to port 25 via firewa... Bill Royds
- RE: Restrict telnet to port 25 via firewa... Bill Royds
- RE: Restrict telnet to port 25 via firewall. Madhur Nanda
- RE: Restrict telnet to port 25 via firewall. Binaya D. Joshi
- RE: Restrict telnet to port 25 via firewall. Navin Mehra/MUM/IN/STTL
- RE: Restrict telnet to port 25 via firewall. Paul D. Robertson
- RE: Restrict telnet to port 25 via firewall. Randy Smith
- RE: Restrict telnet to port 25 via firewall. Bill Royds
- Re: Restrict telnet to port 25 via firewa... Chris Keladis
- RE: Restrict telnet to port 25 via fi... Bill Royds
- Re: Restrict telnet to port 25 via fi... H. Morrow Long
- Re: Restrict telnet to port 25 via fi... Paul Robertson
- RE: Restrict telnet to port 25 via fi... Bill Royds
- Re: Restrict telnet to port 25 via firewall. Brett Lymn
- Re: Restrict telnet to port 25 via firewa... kk downing
- RE: Restrict telnet to port 25 via firewall. Randy Smith
- Re: Restrict telnet to port 25 via firewall. Paul Cardon
