[Mimedefang] Security note: Open port 25 on internal mail se rvers
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Wed Feb 4 19:23:01 EST 2004
> From: Matthew.van.Eerde
...
> We use this same setup.
>
> One SMTP server (A) that accepts only authenticated sessions
> and allows relay for those.
> Another SMTP server (B) that accepts any session but does not
> allow relay.
>
> The trick is to only have A listed as an MX record. B does
> *not* need to be listed as an MX record. Usually B is listed
> explicity (by DNS name) in the off-campus-client's email
> client as the "Sending Mail Server" or "SMTP Server" - no
> need to advertise it in DNS, though a portscanner will still find it.
Er, duh...
reverse A and B in the last paragraph.
MX-record-advertise your public SMTP server that accepts incoming email.
Don't advertise your authentication-only SMTP server and legitimate mail
servers will never attempt to send mail through it. Double-check that the
authentication-only thing is working by using a relay-test service such as
ordb.org. In fact, relay-test all your machines that listen on port 25 as a
matter of habit.
More information about the MIMEDefang
mailing list