Re: [fw-wiz] SMTP forwarding question

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 10/01/04

  • Next message: Luke Butcher: "RE: [fw-wiz] DMZ Ideas"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 1 Oct 2004 04:04:33 +0530
    
    

    On 30/09/04 22:18 +0200, Nagy Attila wrote:
    > Marcus J. Ranum wrote:
    > > > The problem: there is a network from which all outgoing SMTP connections
    > > > should be handled by the company's mail gateway (virus and spam checking,
    > > > etc) BUT the roaming users must be able to use their companies' SMTP
    > > > server, possibly via SMTP AUTH (with or without starttls) and/or POP
    > > > before SMTP (or any other solutions which work over tcp/25).

    > > First off, that's a stupid policy - fortunately it's not mine so I
    > > won't say any more about it than what I already have...

    > I think the only thing why you think it's stupid is that I've left off
    > an important information:
    > the given company would be an ISP, which has a lot of problems about
    > their users spamming and flooding the world with viruses.
    >

    So? We blocked port 25 outbound with no major issues earlier. Blocking
    port 25 for Windows users is probably the biggest favour that you can do
    for the Internet.

    > If the ISP blocks outgoing tcp/25, then all of its users who use other
    > SMTP servers on the internet (for example mail.ispB.com with POP before
    > SMTP or via SMTP AUTH) will not be able to use their server.

    Thats what port 587/tcp is for.

    > I am aware of the fact, that a clear policy should be that every user
    > MUST send mail via mail.ispA.com, but as the Earth's shape is not
    > exactly round, the users say that if they cannot send mail from their
    > notebook from ISP A to ISP B (via authenticated SMTP) and it works from
    > ISP C, then they will choose ISP C, not A.
    >
    > That's the problem. If ISP A blocks outgoing SMTP, the users have to
    > reconfigure their notebooks.

    Nope. They just need to be using 587/tcp from the beginning. Block port
    25, make it clear why you are doing that, and help the users understand
    why it is necessary.

    If you aren't, let us know the IP blocks that the users are assigned, and
    not the smarthosts. We will be more than glad to block dynamic IPs.

    > And users doesn't want this, instead they choose another ISP.
    >
    > > This could probably be done with the proxy transparency rules of
    > > some old-school firewalls, or with redirector rules in a load-balancer.
    > Could you name any product which can store some state about the current
    > SMTP session, decide what are we talking about (authenticated SMTP to a
    > foreign ISP or a simple mail to anyone in the world) and route the
    > traffic either the local mail server or transparently to the original one?

    You will end up writing your own. The alternative is to use something
    like AOLs system of forwarding port 25 to their own systems and
    hijacking the TCP connection.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luke Butcher: "RE: [fw-wiz] DMZ Ideas"