Re: IIS SMTP - is open relay prevented?
- From: "Sanford Whiteman" <swhitemanlistens-software@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Nov 2007 00:26:54 -0500
Alternatively, if there's only a single web application, and this is
compromised, then you gain very little from SMTP AUTH since the
attacker is merely manipulating what the web application is
permitted to do anyway.
While you're right about this case, I hardly think this mitigates the
correctness of defensive design for a public-facing web server.
And just because you have a single-purpose web application doesn't
mean it reuses the same set of credentials for every session. An app
that uses HTTP auth, or any internal auth mechanism, that shares the
local SAM or AD and uses it for impersonation/isolation should also
pass those most specific credentials to the SMTP server. Maybe I'm
getting out of the real world here, but I firmly believe in the most
accountability possible to combat SMTP abuse, as it can be so
devastating to a server's global rep.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.
- References:
- Re: IIS SMTP - is open relay prevented?
- From: Ken Schaefer
- Re: IIS SMTP - is open relay prevented?
- From: Sanford Whiteman
- Re: IIS SMTP - is open relay prevented?
- From: Ken Schaefer
- Re: IIS SMTP - is open relay prevented?
- Prev by Date: Re: IIS SMTP - is open relay prevented?
- Previous by thread: Re: IIS SMTP - is open relay prevented?
- Next by thread: Re: SMTP Services on Windows 2008
- Index(es):
Relevant Pages
|
