Solved

Possible security issues when opening incoming Port 25?

Posted on 2001-07-03
6
275 Views
Last Modified: 2013-11-30
We are thinking of opening TCP Port 25 for incoming SMTP connections.
Not regarding spam relaying which can be easily prevented, what other security issues may be there?
Are there any unwanted things that may happen?
Until now, no NAT is configured for incoming connections on our router and the only port we might configure is incoming SMTP.

Kind regards
zz
0
Comment
Question by:zzconsumer
6 Comments
 
LVL 5

Expert Comment

by:dcgames
ID: 6248938
Main security on port 25 is RELAYING which is the practice of sending e-mail to the world through your SMTP agent.

Security practices on SMTP you should consider (not mandatory):

a) Accept e-mail only for e-mail addresses KNOWN to the gateway (if integrated with local directory)

b) Alternative is accept e-mail only for YOUR domain (w/out verification that actual e-mail is valid)

c) Set maximum size on inbound e-mail

d) Set maximum size on total "session" (i.e. multiple e-mails per single SMTP session)

If you want to allow users to check their e-mail while on the road, you might need:

e) To enable POP3 access (to retrieve e-mail) which means opening port 110 also.

f) To get an SMTP agent that can tie retrieval of e-mail on POP3 (which uses password authentication) to allowing e-mail to be sent to non-local-domain. THis allows me to check my e-mail (POP3) and then reply / send e-mails using my POP3 client no matter where I am because the SMTP agent knows I've just been authenticated, so it suspends the rules a) or b) for a few minutes on my account.

Last one:

g) SPAM and VIRUS control, if supported by the SMTP gateway, are nice to have, but sometimes intrusive, so check your vendor's capabilities and at least have a company policy regarding this.

Dave

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6249736
Make sure that whatever email server you run on port 25 has been fully patched with all the available security updates, and that you are subscribed to mailing lists that will alert you to new security updates. Besides the relaying problem, which is more to do with getting your configuration right than with security problems, some versions of sendmail on Unix/Linux had a vulnerability that allowed scripts to be executed on the server by hackers connecting to the server on port 25. These vulnerabilities have of course been patched as soon as they were discovered, but you have to have the latest version of the software with applicable updates to be sure.

Depending on how reliable you consider your link to the internet to be, and how reliable your server box is, you would probably want to ensure that you have one or two low-priority MX hosts out there prepared to receive mail for your domain(s), which you can check or ETRN periodically.

Vijay
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6249938
you'll have to analyze from a services standpoint...if you're using unix sendmail then there a number of vulnerabilities (most of which are patched fairly quickly)...if you're talking about a windows based smtp service, then so far there are fewer exploits...

i would recommend using a mail proxy or mux for incoming mail...this will provide the base functionality you need without opening up your mail server to possible attacks.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 5

Accepted Solution

by:
dcgames earned 100 total points
ID: 6250150
Don't expose your entire e-mail server's address to the internet. Instead, place your e-mail server inside your network and have your firewall forward port 25 to the server.

The DNS MX record (for e-mail DNS resolution) points to a public IP address that is your "router/firewall".

The router/firewall knows that any e-mail to that address on port 25 (exclusively) will be forwarded to the internal server.

NAT handles the sending (i.e. block incoming, but not outgoing traffic).

May have to do same for POP3.

Dave
0
 
LVL 2

Expert Comment

by:Thorin
ID: 6260838
Just an add on to what dcgames said...you should then have another router/firewall between the mail server and your internal network.  Do not keep your mail server on the same network as your clients.  This is sometimes called a DMZ (demilitarized zone) though the definition of that term is always up for debate.

Looks like (as best as I can get):

Internet
    |
Router/Firewall 1 (only "real" IP on network)
   |      \
   |       \ Port 25 and possibly 110
   |     Mail Server
   |      /
   |     /
Router/Firewall
   |
Internal Network

This is for max security.  Some folks will recommend that you use different types of router/firewalls in order to protect internal network if first is compromised second may not have same flaw.

-Thorin
0
 
LVL 1

Author Comment

by:zzconsumer
ID: 6264327
Thanks a lot to all of you!

dcgames gave most information I could use, so I think it's fair if I give him the points.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
assignment of laptops - risks 6 84
Error Receiving email 12 43
Windows update hosed the internet connection to my VMs. 9 62
Problems with VPN 4 20
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question