RE: how to block SMTP Commands without ISA Ser ver
- From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2003 15:02:42 -0500
How is it a security issue if they telnet to 25, manually enter the commands
vs. using a MTA or a script to do it? That's the heart of the conversation.
To me, there is no difference. I don't particularly care if somebody wants
to take the time to open a manual session to my mailer and send mail or even
use a script against their own mailer that then open a conversation to mine.
What I do with the mail after that is different however. My internet facing
mailer must accept connections from all other mailers on the internet that
speak the SMTP protocol. If not, then which ones should they accept from?
Which ones are sending valid mail? Which ones aren't? Being able to telnet
to my mailer and manually entering the commands uses the same commands as a
script as a mailer opening the connections. Where's the elevated risk in
that?
Help me see it as I feel I may be missing something.
-----Original Message-----
From: Victor Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 2:53 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server
http://www.MSExchange.org/
If humans allow to telnet to port 25 they could impersonate... Like this
Telnet domain.com 25
Helo domain
Mail from:generalmanager@xxxxxxxxxx
Rcpto to:humanresourcemanager@xxxxxxxxxx
Data
Please, fire the Produccion Manager It's an order.
Thanks,
..
Message acepted for delivery
Is It or Not a Security Issue??
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 2:15 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server
http://www.MSExchange.org/
Hi Gabrie,
However, I can script the same commands and make it a bit quicker ;-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:
http://tinyurl.com/1llp
-----Original Message-----
From: Gabrie van Zanten [mailto:gabrie@xxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 12:30 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how to block SMTP Commands without ISA Server
http://www.MSExchange.org/
NOT QUITE CORRECT !!!!
I don't know how to do this with Exchange, but in some firewalls (I know
Raptor has it), you can block TELNET to port 25. What the firewall does, is
time how long it takes for the commands to be entered. A mail server
connecting to yours on port 25, would fire those commands quite rappidly,
when a human would do this, it would be much slower. Based on this, the
firewall blocks entering commands by hand.
Yes -> port 25 has to remain open
Yes -> you could trap humans on port 25
No -> I don't think exchange can do this for you
I don't know what your security risk would be allowing humans to telnet to
port 25.
Gabrie
> -----Original Message-----
> From: Mark Fugatt [mailto:mark@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 7:18 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
> Exactly
>
> Mark Fugatt
> MCT, MCSE, Microsoft Exchange MVP
> Pentech Office Solutions Inc
> Tel: 585 586 3890
> Cell: 585 576 4750
> Fax: 585 249 0316
> MSN IM: mark@xxxxxxxxx
> www.4mcts.com
> www.exchangetrainer.com
>
>
> -----Original Message-----
> From: Militello, John [mailto:jmilitello@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 1:15 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
> Port 25 has to remain open. If your server is setup correctly (No
> Relaying) you should not be worried about it. No one can get a message
> off if the server is set up correctly.
>
>
>
> -----Original Message-----
> From: Mark Fugatt [mailto:mark@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:39 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
> 20 and 21 are FTP, you cannot stop people from using a Telnet client
> and connecting to port 25 on your SMTP server without blocking port 25
> which would defeat the object of having an SMTP server.
>
> Mark Fugatt
> MCT, MCSE, Microsoft Exchange MVP
> Pentech Office Solutions Inc
> Tel: 585 586 3890
> Cell: 585 576 4750
> Fax: 585 249 0316
> MSN IM: mark@xxxxxxxxx
> www.4mcts.com
> www.exchangetrainer.com
>
>
> -----Original Message-----
> From: oevans@xxxxxxxxxxxxxxx [mailto:oevans@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:30 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
>
> What you do is deny port 21 and 20 on your firewall that points to
> your mail server.
> E.g. if your mail server is 192.168.100.5 then you would use:
>
> access-list 101 deny tcp any host 192.168.100.5 eq telnet
>
> This pertains to a pix firewall but you may have some other brand.
>
> O.e
>
> -----Original Message-----
> From: Victor Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 12:14 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
> I can connect to Exchange Server doing telnet session to port
> 25 and execute commands like, helo domain, mail from, etc and send a
> message to an internal mailbox making impersonation .
>
> This is a security issue, how to block this smtp commands is anybody
> make a telnet session to port 25?
>
> -----Original Message-----
> From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:48 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: how to block SMTP Commands without ISA
> Server
>
> http://www.MSExchange.org/
>
> Can you give an example of what you want? I suspect that blocking
> commands means one thing to you and something different to me. I
> think of blocking commands as disabling verbs. I suspect you want to
> block specific users from sending you email. A deny or block list.
>
>
> Al
>
>
>
> -----Original Message-----
> From: Victor Hugo Naranjo [mailto:vnaranjo@xxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:40 AM
> To: [ExchangeList]
> Subject: [exchangelist] how to block SMTP Commands without ISA Server
>
> http://www.MSExchange.org/
>
> Help with this...
> =20
> In Exchange 5.5, 2000 and 2003 how to block SMTP Commands
> without ISA = Server?
> If the Mail from: (SMTP Command) is blocked, Can I still
> receive Internet eMails?
>
>
> Victor Naranjo
> CONSULTANT
> SYNERGY
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
Other related posts:
