Actually you need to look at this more simply. Use mail sentinel for your inbound SMTP on your MX record, but use a direct inbound tunnel to your mail server for you client SMTP communications for sending. Require auth for direct connections, perhaps on separate mail servers so that the one with a direct inbound tunnel can only relay for auth clients.
Chris Green -----Original Message----- From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] Sent: Friday, January 14, 2005 2:30 PM To: [email protected] Subject: [gb-users] Requesting ESMTP Support. Lately, I have been encountering all sorts of problems concerning SMTP Proxies. My latest fiasco was when we upgraded our Cisco router with security software, and suddenly, none of our users can send e-mail anymore. It turns out that Cisco has functionality called SMTP Fixup, which is an SMTP proxy similar to the SMTP Proxy functionality on GTA's firewalls. Now Cisco, as well as GTA, seem to consider ESMTP as a security risk. Exactly what I was told by GTA is: >Mail Sentinel SMTP proxy only supports a subset of SMTP commands and >does not support ESMTP. This was done on purpose to limit unauthorized >access to the internal mail server. The only commands that are >acceptable are: HELO, MAIL FROM, RCTP, DATA, RSET, NOOP and QUIT. We've >successfully been using this subset of SMTP command in our proxy since >1994. I can understand some folks taking the stance of 'If it ain't broke, don't fix it'. However, the SMTP standard is about 23 years old! RFC821 written in August 1982 covers the SMTP feature set. And if you read this RFC, you'll see that SMTP has barely changed since it was first written. In order to address the additional functionality that was lacking in SMTP, the ESMTP RFC was written in RFC1425 in February 1993. In this intervening time, security companies seem to think that there is no need to upgrade to support this additional functionality. The e-mail server I bought as well as the e-mail clients I have bought support this functionality. But, if I want to ensure security, my security device actually destroys this functionality. Cisco goes so far as to actually FORGE messages between the server and client when ESMTP communications is attempted. If you send EHLO through Cisco Fixup, it receives this and then sends a NOOP to the server. The server then responds with a 250 OK, but the Cisco instead passes on a 550 to the client. (I watched this happen through a packet sniffer on my mail server, which was when I finally isolated the problem). Is there no way to write a proxy to make it secure with ESMTP? What exactly is this potential 'unauthorized access' that could occur on my server if I use ESMTP that you are trying to protect me from? What other alternatives do I have to secure my server from being an open relay yet still allows my users to send e-mail? (Personally, it would be too difficult for me to use IP based security since my customers are on a diverse number of ISPs, each with their own peccadilloes when you attempt to send mail outbound through their servers instead). In the end, ESMTP isn't optional for me; it's a necessity, especially since I have a couple of new clients coming on board that wish to use ETRN services. This is not an attempt to slam GTA for its choices (Although I'll be happy to slam Cisco for actually forging messages). It is just a request for you folks to re-visit these choices and discuss why this course of action has been taken and has not changed since 1993. I would like to be able to use the Mail Sentinel Anti-Virus to keep watch over my network, but not at the expense of security or functionality of my existing network. Christopher Congdon Network Engineer Congdon Web LLC 317-920-9601 ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ __________ NOD32 1.970 (20050113) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
