RE: how to block SMTP Commands without ISA Ser ver

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 3 Dec 2003 15:47:46 -0500

Fixup can block a telnet to tcp 25 that issues SMTP commands?  Really?  It
checks the application to see what's issuing the commands?  Or does it just
block access to all but tcp 25 (tcp 20, 21, 23 etc)?

As noted earlier in the thread, this is an issue with the SMTP protocol.
You cannot block applications from accessing if they present the proper
protocol sequence.  SMTP "listens" on tcp 25, a well known port.  SMTP is a
well known protocol having been around since the early 80's (RFC 821,822).  

I'd be very skeptical of any feature that claims to block other than a MTA
from connecting and talking SMTP Protocol with your host.  Telnet, script,
custom code, any number of mailers etc all talk via that protocol.  That's
often why SMTP infrastructures include much more than a firewall and a host.
Just so you can't do this sort of stuff and maliciously send email to other
domains (AKA Open Relay).  Accepting the message as inbound from telnet,
script, custom code, etc is a perfectly legitimate use of the protocol.  

Spending time limiting the client program that can access your mailer is
nothing but a waste from what I can tell.  Spending time combating open
relay and spam attacks would be a better use of your time from what I know.

Al 

-----Original Message-----
From: oevans@xxxxxxxxxxxxxxx [mailto:oevans@xxxxxxxxxxxxxxx] 
Sent: Wednesday, December 03, 2003 3:35 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Ser ver

http://www.MSExchange.org/


Look into a firewall solution.  Cisco pix uses a feature called fixup
protocol.
This prevents other protocols to have a session with your server using
another protocol Such as telnet and at the same time only allows smtp coming
from the outside in.

Hope that helps.

Nb. If a person sends an e-mail from within the office then there's a lot of
ways you can Log the session to a logging server, hence don't fire the
manager but the culprit.

O.E

-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Wednesday, December 03, 2003 3:03 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Ser ver

http://www.MSExchange.org/

How is it a security issue if they telnet to 25, manually enter the commands
vs. using a MTA or a script to do it?  That's the heart of the conversation.


To me, there is no difference.  I don't particularly care if somebody wants
to take the time to open a manual session to my mailer and send mail or even
use a script against their own mailer that then open a conversation to mine.
What I do with the mail after that is different however.  My internet facing
mailer must accept connections from all other mailers on the internet that
speak the SMTP protocol.  If not, then which ones should they accept from?
Which ones are sending valid mail?  Which ones aren't?  Being able to telnet
to my mailer and manually entering the commands uses the same commands as a
script as a mailer opening the connections.  Where's the elevated risk in
that?

Help me see it as I feel I may be missing something. 

-----Original Message-----
From: Victor Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 2:53 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server

http://www.MSExchange.org/

If humans allow to telnet to port 25 they could impersonate... Like this

Telnet domain.com 25
Helo domain
Mail from:generalmanager@xxxxxxxxxx
Rcpto to:humanresourcemanager@xxxxxxxxxx
Data
Please, fire the Produccion Manager It's an order.

Thanks,

..
Message acepted for delivery

Is It or Not a Security Issue??


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 2:15 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server

http://www.MSExchange.org/

Hi Gabrie,

However, I can script the same commands and make it a bit quicker ;-)

Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:
http://tinyurl.com/1llp

 


-----Original Message-----
From: Gabrie van Zanten [mailto:gabrie@xxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 12:30 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server


http://www.MSExchange.org/

NOT QUITE CORRECT !!!!

I don't know how to do this with Exchange, but in some firewalls (I know
Raptor has it), you can block TELNET to port 25. What the firewall does, is
time how long it takes for the commands to be entered. A mail server
connecting to yours on port 25, would fire those commands quite rappidly,
when a human would do this, it would be much slower. Based on this, the
firewall blocks entering commands by hand.

Yes -> port 25 has to remain open
Yes -> you could trap humans on port 25
No -> I don't think exchange can do this for you 

I don't know what your security risk would be allowing humans to telnet to
port 25.

Gabrie
 

> -----Original Message-----
> From: Mark Fugatt [mailto:mark@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 7:18 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> Exactly
> 
> Mark Fugatt
> MCT, MCSE, Microsoft Exchange MVP
> Pentech Office Solutions Inc
> Tel:  585 586 3890
> Cell: 585 576 4750
> Fax:  585 249 0316
> MSN IM: mark@xxxxxxxxx
> www.4mcts.com
> www.exchangetrainer.com
> 
> 
> -----Original Message-----
> From: Militello, John [mailto:jmilitello@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 1:15 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> Port 25 has to remain open. If your server is setup correctly (No
> Relaying) you should not be worried about it. No one can get a message

> off if the server is set up correctly.
> 
> 
> 
> -----Original Message-----
> From: Mark Fugatt [mailto:mark@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:39 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> 20 and 21 are FTP, you cannot stop people from using a Telnet client 
> and connecting to port 25 on your SMTP server without blocking port 25

> which would defeat the object of having an SMTP server.
> 
> Mark Fugatt
> MCT, MCSE, Microsoft Exchange MVP
> Pentech Office Solutions Inc
> Tel:  585 586 3890
> Cell: 585 576 4750
> Fax:  585 249 0316
> MSN IM: mark@xxxxxxxxx
> www.4mcts.com
> www.exchangetrainer.com
> 
> 
> -----Original Message-----
> From: oevans@xxxxxxxxxxxxxxx [mailto:oevans@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:30 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> 
> What you do is deny port 21 and 20 on your firewall that points to 
> your mail server.
> E.g. if your mail server is 192.168.100.5 then you would use:
> 
> access-list 101 deny tcp any host 192.168.100.5 eq telnet
> 
> This pertains to a pix firewall but you may have some other brand.
> 
> O.e
> 
> -----Original Message-----
> From: Victor Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:14 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> I can connect to Exchange Server doing telnet session to port
> 25 and execute commands like, helo domain, mail from, etc and send a 
> message to an internal mailbox making impersonation .
> 
> This is a security issue, how to block this smtp commands is anybody 
> make a telnet session to port 25?
> 
> -----Original Message-----
> From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:48 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA 
> Server
> 
> http://www.MSExchange.org/
> 
> Can you give an example of what you want?  I suspect that blocking 
> commands means one thing to you and something different to me.  I 
> think of blocking commands as disabling verbs.  I suspect you want to 
> block specific users from sending you email.  A deny or block list.
> 
> 
> Al
> 
>  
> 
> -----Original Message-----
> From: Victor Hugo Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:40 AM
> To: [ExchangeList]
> Subject: [exchangelist] how to block SMTP Commands without ISA Server
> 
> http://www.MSExchange.org/
> 
> Help with this...
> =20
> In Exchange 5.5, 2000 and 2003 how to block SMTP Commands without ISA 
> = Server?
> If the Mail from: (SMTP Command) is blocked, Can I still receive 
> Internet eMails?
> 
> 
> Victor Naranjo
> CONSULTANT
> SYNERGY
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library: 
> http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------


Other related posts: