Re: IIS SMTP - is open relay prevented?

That said, Sanford has suggested turning SMTP AUTH back on (via
"allow machines that authenticate to relay" checkbox). The only
issue here...

That's not an issue for a server that, as the OP states, is used only
to send form mail -- and thus *must not* have incoming port 25 allowed
through the firewall. It would've been silly to state the obvious
security concerns of any Internet-connected machine (i.e. "block at
the firewall any ports you are not using").

More important, the discussion is about relay-by-AUTH vs. relay-by-IP,
but you're reframing it as relay-by-AUTH vs. *access*-by-IP.
Relay-by-AUTH and access-by-IP are not mutually exclusive; rather,
they are governed by two totally separate parts of the interface. When
you can't block block unwanted traffic at the edge, firewall, or even
local stack level, it's best practice to block as early in the
application level as possible; you should not allow anyone to attempt
connections on ports for which there is no legitimate traffic. This
means disallowing all traffic (access-by-IP) from anywhere but
127.0.0.1 for any server that, as in the OP's example, sends form mail
only. That makes the dictionary attack "issue" a red herring if
correct configuration is otherwise used.

As it is, your current configuration is probably the easiest to
maintain.

Laziest to maintain != Easiest to maintain. It's one thing to
streamline your configuration, it's another to have no audit trail or
security boundaries because you run everything in the same context.
Web developers need to get used to the uncomfortable idea of _somebody
else_ running their code, whether that be a customer or a hacker. That
means knowing *which* web application sent mail from 127.0.0.1. On a
server with innumerable posting acceptors running under the same
context, an accidentally open HTTP-SMTP proxy is almost impossible to
track down.

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.

Relevant Pages

  • Re: iptables help
    ... A firewall is no cure-all, an excuse to allow insecure systems on your ... machines secure from all kinds of attacks that a firewall could easily ... You get an idea about security and the effort will give you a healthy ...
    (comp.security.firewalls)
  • Re: KB9412615 and IE7 in Vista
    ... third-party firewall AND enable the Windows Firewall. ... additional security. ... There seems to be a fix for IE6, but not for IE7 ... I have the same issue on two Vista Machines with IE7, ...
    (microsoft.public.windowsupdate)
  • Re: For the AdaOS folks
    ... > that a firewall is redundant. ... and more comprehensive security than a firewall can. ... AdaOS will not have any holes or back doors in its security. ... are running AdaOS or machines which can communicate with AdaOS only through ...
    (comp.lang.ada)
  • Re: suspicious firewall rules in WinXP firewall
    ... There really is nothing you can do, except uninstall the firewall completely, restart the computers and see if they can connect using dns. ... The first problem of course is the firewall or internet security suite --- remove that and all should be OK again. ... I have run into these problems with customer machines and there is no easy fix and yet there is no root kit either. ...
    (Incidents)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)
Loading