Greetings!
Fauzi Badron wrote:
>
> Does suitable to open tcp port 1023 to 65535 for mail server at my
> firewall?
By definition a mail server only needs SMTP plus maybe POP or IMAP. But
I guess you're talking about a Microsoft Exchange server? MSX uses
Microsoft-RPCs (tcp/135 plus server-side-opened tcp/1024+) for data
exchange.
Two ways to handle this - best use both:
- if you use CheckPoint's Firewall-1: there you have RPC filters for
MSX. Use them if you can.
- set the RPC server port (i.e. the connection issued by the server) to
one fixed port. This way you only need to open one port in, not all
above 1024. See M$-KnowledgeBase articles Q155831 and Q148732 for
details. You may run into ressource problems with this if you have a
large number of clients, though.
In either case make REALLY sure that your MSX server is bastioned
against DoS attacks on the opened port. If possible, restrict the
acccess to this port to a limited number of addresses.
If you need to provide access for mobile users, try to find out the
IP-range your dial-in provider is using and restrict limit to that. For
this scenario personal VPNs would be a better solution though.
Bye
Volker
--
-------------------------------------------------------------------
[EMAIL PROTECTED] discon GmbH
IT-Security Consulting Wrangelstrasse 100
http://www.discon.de/ 10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
