Solved

forcing a certain mail server to default?

Posted on 2002-04-08
28
217 Views
Last Modified: 2010-04-11
hello all here!

I am a C++ programmer, a very newbie to this section...so expecting a fatherly behaviour;)

okay, I want to make say abc.net mail domain to be the only mail server that can be used to mail from a certain machine. How can I achieve that...

dont know if this question is easy or difficult as I am a real newbie to the domain...

I also need advise to how to work in security...I am sorry for sounding so foolish, but I want to work and dont know any thing:( can u help me with web links or with some book titles ...

Regards
__A
0
Comment
Question by:kuchnaheen
  • 7
  • 4
  • 4
  • +6
28 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Unless you control all the software and hardware on the machine, it's probably going to be impossible to enforce this at the client side.

You can probably enforce it at the mail-server side, but how to do it depends greatly on which mail server software you're using.
0
 
LVL 1

Author Comment

by:kuchnaheen
Comment Utility
I have full controll over hardware+software...with which Mail server soft ware I can achieve that...can some fire wall do this for me????
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Well, certainly you can tell your firewall to only allow outgoing SMTP connections to certain addresses.  That should be easy enough.  Mind you, this will be for the entire enterprise, though.

If you're doing this for a largish organization, it sounds like you should pull in help from the e-mail and/or security groups.
0
 
LVL 3

Accepted Solution

by:
FlamingSword earned 50 total points
Comment Utility
> okay, I want to make say abc.net mail domain to be the only mail server that can be used to mail from a certain machine. How can I achieve that...

Generally not doable. Consider, for example, the variety of free eMail using browsers, such as HotMail.  Could you shut down all browser activity?

> ..can some fire wall do this for me????

Not really. Once you do SMTP you permit port 25, for everybody. One 'trick' is to run a small organization using an alternative port address. This costs much in admin overhead, but can restrict many users who are not the power users.
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Agreed.  There will be ways around this type of stuff unless 1) you make it extremely restrictive and 2) you spend a lot of time and/or money making it so.
0
 
LVL 1

Author Comment

by:kuchnaheen
Comment Utility
okay ....one step ahead

can I log all mails that are going out of my machine.....ALL means EVERY thing yahoo, hotmail, bla bla...
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Sure.  You _can_ log anything you like, including capturing every packet going in or out of the system.  Whether it will be useful is a different story..

1.  The volume may be way too high to analyze it in any meaningful way.

2.  Unless you can show that you're doing this to protect the security of the computer systems involved, you may be in Criminal violation of US anti-wiretapping laws (assuming you're doing this in the US).
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
ditto.
except, I think you'll be ok to temporarily retain copies of all messages, for purposes of debugging, identifying hijackers and spoofers, and any attempts to misuse your site, along with traditional ensuring the mail (known good) flows properly.  What causes problems is becoming too voyeur, intruding into lives of others -- a definite no-no; as well as finding cans for all them trivial bits. Don't volunteer to help anyone resend. Make 'em maintain their own backups if they want that capability.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
In some cases, you can run SSL for improving security. Try HTTPS for web, such as for logons. PGP for EMs
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
> I also need advise to how to work in security...

a lot of security is stuck in simply administering IDs and passwords. How droll. Then there's the constant upgrades. Basically Admin talk. (assuming you don't mean to be a paper-pusher just writing up regulations about building entry).

For technical mumbo jumbo, try on the acronyms of my prior comment, use any search technique you want. Add another: DMZ. Another: RSA (recheck-out, the number of bits, its in the news again).  That should keep you well occupied for quite some time. If you are good.
0
 
LVL 3

Expert Comment

by:DVB
Comment Utility
First point:
If you need to force the use of a certain mail server only, just allow outbound port 25 requests only from those servers. Run a proxy based firewall, not a packet filter. This will force SMTP to work only over port 25 and prevent the use of SMTP servers running over port 80/110.....
Block port 80 (you really don't want to allow webmail, do you?).

To make your life simpler: Say why you want to force the use of that particular SMTP server, and we might be able to give you an easier solution.
For instance, the ISP I work at has a policy of not allowing the use of any SMTP server other than ours. This is only so that we have logs in case of spam abuse complaints. The only other requirements we have are that a valid (resolvable) domain be used.

This is enforced primarily by an Acceptable Use Policy and technically by blocking outbound port 25 for everything except our mail servers..

The second point:
Are you asking from an adminstrative point of view, or from th programmer point of view? Note that there is a massive overlap between the two in security matters.

I would suggest looking at http://www.securityfocus.com as a starting point for this endeavour. D. Wheeler has an online secure programming howto.
Read everyhting you can on security. http://www.sans.org is another good place to look at. http://www.google.com will be your best friend.

And, no: security is not simply stuck in and administering IDS and passwords (even if it is often implemented that way).

Security is a process, not a product. When coding, think of every way in which your code could be abused. "No one will ever do that" is never a valid answer. Catch your exceptions. Handle input carefully. Make sure it is clean input and sanitize it, if necessary. Know your language, and understand it. Know the limitations of your tools and work within those.
Choose the right language for the right job.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
A lot of good concepts are expreseed above, but I think FlamingSword is hitting the nail on the head - you can certainly restrict outbound SMTP traffic to a certain server, but complete outbbound email restriction can only be realized if you are prepared to severely cripple the internet connectivity of such clients, since there are many protocols that can be used to access SMTP gateways (http being one of many).  I guess if you have specific secured workstations dedicated exclusively to email, then this might be feasible.  I guess this isn't too bad if you just want to setup public-access email stations - if you want the client to have more abilities than that, have fun.

Cheers,
-Jon

0
 
LVL 3

Expert Comment

by:DVB
Comment Utility
Well, heavy use of application layer proxies and blocking webmail can help, but since we don't know why he needs such a restriction, giving further suggestions isn't going to be beneficial.
These are generally going t0o be people problems, and they cannot be solved technically, but must be solved with the judicious use of AUPs and their enforcement.
0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
Surf Control works great but it's not cheap.

http://www.surfcontrol.com/business/products/
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
>and blocking webmail can help

How are you proposing to do this?  Do you know of some magical way to distinguish between posting to a webmail form on a server, and posting any other kind of form content?  If you mean block port 80, just say so.

Just wondering...

Also, surfcontrol will not work for this (unless you use a whitelist, and then why buy surfcontrol at all?) - the only way is if you block all traffic other than port 25 to the proper server, or create a 'whitelist' of known servers that don't run webmail or email servers that you will allow people to talk to (which will still break, the first time someone on your whitelist decides to be an ass).

>This is enforced primarily by an Acceptable Use Policy
>and technically by blocking outbound port 25
>for everything except our mail servers

What a boneheaded policy - I'd drop your service faster than a hot potato (and maybe subscribe your admin emails to some spam lists if I was feeling particularly pissed-off that day).  What do you do about all the spammers who abuse open webmail cgis - block port 80 outbound for all users?  Sigh.

FlamingSword gets my vote.

If you want to log all email, jlevie has a pretty good discussion around here recently with someone who was asking questions along those lines.  If you want the URL I'll dig it up - I think chris knows what I'm talking about (he tried his goofy wiretap argument there, IIRC).

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
If you want the ultimate solution (Which I think has been mentioned or hinted at above), just make it corporate policy, log outbound connections on port 25, and make an example of some bloke who violates the policy by cannning him.

You'll likely see outbound connections on port 25 drop to zero.

As far as security references, I think O'Reilly has some good ones - avoid the GIAC, unless you want to fool people into thinking you know something about security when you really just have a maeaningless certification (have you *seen* the sample questions on the GIAC?  Aside from being pathetic, they constantly remind me why I refuse to be employed by corporations (consulting, on the other hand, is where it's at - set your own terms, avoid the corporate BS, and walk away with a ton of cash).

Cheers,
-Jon


0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
Surf Control will work for this.
0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
Captain,I see your point.But with surf control you can see everything a user does,and use it to create an effective rule base.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Surfcontrol does not have any method for detecting new webmail sites.  'Nuff said.

There are similar problems with most of the technical solutions presented above.  That's why a policy-based solution, as others have mentioned, would be most effectrive here.

-Jon

0
 
LVL 28

Expert Comment

by:vinnyd79
Comment Utility
what do you mean surf control doesn't have any method for detecting new webmail sites?Surf Control will let you see every site a user visits,so you can block it.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Siiiigggh - and what about new sites that you haven't entered in the database?  Do I really need to connect the dots here?

-Jon
0
 
LVL 1

Expert Comment

by:cartoonbabe
Comment Utility
"... also need advise to how to work in security...I am sorry for sounding so foolish, but I want to work                      and dont know any thing:( can u help me with web links or with some book titles ..."

The best security people are hackers at heart.  The more you know about the holes the more successful you are at filling them.  Now, that's a big area!
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
and now ,,,,,,,,,,,,,,,
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to FlamingSword and SunBow.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I vote for pts to FlamingSword exclusively - if you give pts to SunBow, then I think my comments were at least as valuable, and would like some pts as well.

Cheers,
-Jon

0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Noted:

I'll adjust my decision to award pts to FlamingSword Exclusively. I would split three ways but it's only a 50 pt Q.  Thanks for the input.

j
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Sounds great to me - Actually John, you can feel free to ignore requests for pt splits from me, given the PE benefits.

Cheers,
-Jon
EE PE (but not in this TA)

0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Having PE benefits doesn't mean that you shouldn't get what's coming to you.  I'm doing my best to be fair, and appreciate any, and all comments.  thanks.

j
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now