Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Possible security issues when opening incoming Port 25?

Posted on 2001-07-03
6
Medium Priority
?
293 Views
Last Modified: 2013-11-30
We are thinking of opening TCP Port 25 for incoming SMTP connections.
Not regarding spam relaying which can be easily prevented, what other security issues may be there?
Are there any unwanted things that may happen?
Until now, no NAT is configured for incoming connections on our router and the only port we might configure is incoming SMTP.

Kind regards
zz
0
Comment
Question by:zzconsumer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Expert Comment

by:dcgames
ID: 6248938
Main security on port 25 is RELAYING which is the practice of sending e-mail to the world through your SMTP agent.

Security practices on SMTP you should consider (not mandatory):

a) Accept e-mail only for e-mail addresses KNOWN to the gateway (if integrated with local directory)

b) Alternative is accept e-mail only for YOUR domain (w/out verification that actual e-mail is valid)

c) Set maximum size on inbound e-mail

d) Set maximum size on total "session" (i.e. multiple e-mails per single SMTP session)

If you want to allow users to check their e-mail while on the road, you might need:

e) To enable POP3 access (to retrieve e-mail) which means opening port 110 also.

f) To get an SMTP agent that can tie retrieval of e-mail on POP3 (which uses password authentication) to allowing e-mail to be sent to non-local-domain. THis allows me to check my e-mail (POP3) and then reply / send e-mails using my POP3 client no matter where I am because the SMTP agent knows I've just been authenticated, so it suspends the rules a) or b) for a few minutes on my account.

Last one:

g) SPAM and VIRUS control, if supported by the SMTP gateway, are nice to have, but sometimes intrusive, so check your vendor's capabilities and at least have a company policy regarding this.

Dave

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6249736
Make sure that whatever email server you run on port 25 has been fully patched with all the available security updates, and that you are subscribed to mailing lists that will alert you to new security updates. Besides the relaying problem, which is more to do with getting your configuration right than with security problems, some versions of sendmail on Unix/Linux had a vulnerability that allowed scripts to be executed on the server by hackers connecting to the server on port 25. These vulnerabilities have of course been patched as soon as they were discovered, but you have to have the latest version of the software with applicable updates to be sure.

Depending on how reliable you consider your link to the internet to be, and how reliable your server box is, you would probably want to ensure that you have one or two low-priority MX hosts out there prepared to receive mail for your domain(s), which you can check or ETRN periodically.

Vijay
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6249938
you'll have to analyze from a services standpoint...if you're using unix sendmail then there a number of vulnerabilities (most of which are patched fairly quickly)...if you're talking about a windows based smtp service, then so far there are fewer exploits...

i would recommend using a mail proxy or mux for incoming mail...this will provide the base functionality you need without opening up your mail server to possible attacks.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 5

Accepted Solution

by:
dcgames earned 400 total points
ID: 6250150
Don't expose your entire e-mail server's address to the internet. Instead, place your e-mail server inside your network and have your firewall forward port 25 to the server.

The DNS MX record (for e-mail DNS resolution) points to a public IP address that is your "router/firewall".

The router/firewall knows that any e-mail to that address on port 25 (exclusively) will be forwarded to the internal server.

NAT handles the sending (i.e. block incoming, but not outgoing traffic).

May have to do same for POP3.

Dave
0
 
LVL 2

Expert Comment

by:Thorin
ID: 6260838
Just an add on to what dcgames said...you should then have another router/firewall between the mail server and your internal network.  Do not keep your mail server on the same network as your clients.  This is sometimes called a DMZ (demilitarized zone) though the definition of that term is always up for debate.

Looks like (as best as I can get):

Internet
    |
Router/Firewall 1 (only "real" IP on network)
   |      \
   |       \ Port 25 and possibly 110
   |     Mail Server
   |      /
   |     /
Router/Firewall
   |
Internal Network

This is for max security.  Some folks will recommend that you use different types of router/firewalls in order to protect internal network if first is compromised second may not have same flaw.

-Thorin
0
 
LVL 1

Author Comment

by:zzconsumer
ID: 6264327
Thanks a lot to all of you!

dcgames gave most information I could use, so I think it's fair if I give him the points.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question