Solved

Possible security issues when opening incoming Port 25?

Posted on 2001-07-03
6
257 Views
Last Modified: 2013-11-30
We are thinking of opening TCP Port 25 for incoming SMTP connections.
Not regarding spam relaying which can be easily prevented, what other security issues may be there?
Are there any unwanted things that may happen?
Until now, no NAT is configured for incoming connections on our router and the only port we might configure is incoming SMTP.

Kind regards
zz
0
Comment
Question by:zzconsumer
6 Comments
 
LVL 5

Expert Comment

by:dcgames
Comment Utility
Main security on port 25 is RELAYING which is the practice of sending e-mail to the world through your SMTP agent.

Security practices on SMTP you should consider (not mandatory):

a) Accept e-mail only for e-mail addresses KNOWN to the gateway (if integrated with local directory)

b) Alternative is accept e-mail only for YOUR domain (w/out verification that actual e-mail is valid)

c) Set maximum size on inbound e-mail

d) Set maximum size on total "session" (i.e. multiple e-mails per single SMTP session)

If you want to allow users to check their e-mail while on the road, you might need:

e) To enable POP3 access (to retrieve e-mail) which means opening port 110 also.

f) To get an SMTP agent that can tie retrieval of e-mail on POP3 (which uses password authentication) to allowing e-mail to be sent to non-local-domain. THis allows me to check my e-mail (POP3) and then reply / send e-mails using my POP3 client no matter where I am because the SMTP agent knows I've just been authenticated, so it suspends the rules a) or b) for a few minutes on my account.

Last one:

g) SPAM and VIRUS control, if supported by the SMTP gateway, are nice to have, but sometimes intrusive, so check your vendor's capabilities and at least have a company policy regarding this.

Dave

0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Make sure that whatever email server you run on port 25 has been fully patched with all the available security updates, and that you are subscribed to mailing lists that will alert you to new security updates. Besides the relaying problem, which is more to do with getting your configuration right than with security problems, some versions of sendmail on Unix/Linux had a vulnerability that allowed scripts to be executed on the server by hackers connecting to the server on port 25. These vulnerabilities have of course been patched as soon as they were discovered, but you have to have the latest version of the software with applicable updates to be sure.

Depending on how reliable you consider your link to the internet to be, and how reliable your server box is, you would probably want to ensure that you have one or two low-priority MX hosts out there prepared to receive mail for your domain(s), which you can check or ETRN periodically.

Vijay
0
 
LVL 5

Expert Comment

by:Droby10
Comment Utility
you'll have to analyze from a services standpoint...if you're using unix sendmail then there a number of vulnerabilities (most of which are patched fairly quickly)...if you're talking about a windows based smtp service, then so far there are fewer exploits...

i would recommend using a mail proxy or mux for incoming mail...this will provide the base functionality you need without opening up your mail server to possible attacks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 5

Accepted Solution

by:
dcgames earned 100 total points
Comment Utility
Don't expose your entire e-mail server's address to the internet. Instead, place your e-mail server inside your network and have your firewall forward port 25 to the server.

The DNS MX record (for e-mail DNS resolution) points to a public IP address that is your "router/firewall".

The router/firewall knows that any e-mail to that address on port 25 (exclusively) will be forwarded to the internal server.

NAT handles the sending (i.e. block incoming, but not outgoing traffic).

May have to do same for POP3.

Dave
0
 
LVL 2

Expert Comment

by:Thorin
Comment Utility
Just an add on to what dcgames said...you should then have another router/firewall between the mail server and your internal network.  Do not keep your mail server on the same network as your clients.  This is sometimes called a DMZ (demilitarized zone) though the definition of that term is always up for debate.

Looks like (as best as I can get):

Internet
    |
Router/Firewall 1 (only "real" IP on network)
   |      \
   |       \ Port 25 and possibly 110
   |     Mail Server
   |      /
   |     /
Router/Firewall
   |
Internal Network

This is for max security.  Some folks will recommend that you use different types of router/firewalls in order to protect internal network if first is compromised second may not have same flaw.

-Thorin
0
 
LVL 1

Author Comment

by:zzconsumer
Comment Utility
Thanks a lot to all of you!

dcgames gave most information I could use, so I think it's fair if I give him the points.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now