[Mimedefang] Security note: Open port 25 on internal mail se rvers
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Wed Feb 4 19:16:37 EST 2004
> From: Lucas Albers [mailto:admin at cs.montana.edu]
> David F. Skoll said:
> > 3) Even if you don't have MX or A records pointing to internal mail
> > servers, you should firewall off port 25 on internal mail
> servers from
> > the outside world. We've seen instances of the MyDoom
> virus bypassing
> > the MIMEDefang machine by port-scanning for something listening on
> > port 25.
> >
> > The basic guiding principle: Do not permit any path for Internet
> > e-mail to bypass your MIMEDefang machine.
> I would like to firewall off access to an internal mail server, but my
> clients from off campus use it to send mail...
> This would work:
> Allow authenticated and local users to send mail through it
> but refuse all
> other mail through it. Configure it so external mailers will
> re-attempt
> delivery through external mx mailers...
> If I generate a 451 code to external MTA's
> They should try the secondary mx, correct?
We use this same setup.
One SMTP server (A) that accepts only authenticated sessions and allows
relay for those.
Another SMTP server (B) that accepts any session but does not allow relay.
The trick is to only have A listed as an MX record. B does *not* need to be
listed as an MX record. Usually B is listed explicity (by DNS name) in the
off-campus-client's email client as the "Sending Mail Server" or "SMTP
Server" - no need to advertise it in DNS, though a portscanner will still
find it.
More information about the MIMEDefang
mailing list