Re: [fw-wiz] A fun smackdown...

From: Paul D. Robertson (
Date: 05/20/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
    To: Devdas Bhagat <>
    Date: Thu, 19 May 2005 19:01:37 -0400 (EDT)

    On Fri, 20 May 2005, Devdas Bhagat wrote:

    > On 19/05/05 17:32 -0400, Paul D. Robertson wrote:
    > <snip>
    > > >
    > > > I used Cisco's proxying of SMTP as a well-known example of a "security
    > > > feature" which breaks legitimate protocol extensions (ESMTP), yet
    > >
    > > That's the point; You stop things (I don't think it really "breaks it,"
    > > since it should default to HELO instead of EHLO- so "doesn't allow
    > Yes it does. Minimally, it breaks the requirement that the server
    > advertise its fully qualified hostname to the remote SMTP client in the
    > greeting.

    I'd read Chuck's message to say that it doesn't allow ESMTP, which is
    different than breaking it, as you can simply downgrade to SMTP.

    > > increased functionality" is probably more accurate.) Heck, I try not to
    > The increased functionality enhances security by allowing for
    > 1> SMTP AUTH
    > 2> TLS
    > 3> being able to reject before 'data' based on size as offered by the client.
    > (otherwise you have to accept all the data and that can lead to a DoS).
    > 4> Catching broken spamware and proxies which spew out SMTP protocol
    > stuff before responses without offering EHLO and explicitly being
    > offered pipelining.

    I'm not arguing that ESMTP doesn't have useful features, I'm saying that
    not allowing it is a valid security control, as it increases complexity
    (SSL layer in TLS? Auth password guessing...,) and specifically if it
    stops the last Exchange bug, then it's value may come to be a lot greater
    than previously thought for those folks who use SMTP-fixup and Exchange
    (editorial comments narrowly avoided.)

    Actually, you don't have to accept all the data, you can simply close the
    connection at N bytes, which you'd have to do if the client lied anyway.

    Also, I've seen the same spew in "legitimate" applications (specifically
    Delphi controls that couldn't do SMTP correctly,) which is generally where
    you get the most flack for adding security controls (breaks "needed

    > > run browsers that do ActiveX when I run a browser on a Microsoft OS,
    > > that's reduced functionality too- but I'm willing to accept it because it
    > > reduces my risk.
    > >
    > > Guards with guns stop the free flow of people, and reduce the
    > > functionality of a place- but they also reduce the risk if they're doing
    > > their jobs- and many places are happy to deploy them.
    > >
    > > > doesn't seem to really improve security, but if you aren't very
    > > > familiar with it, I won't insist on debating this particular example.
    > > > :-)
    > >
    > > Does it stop the MS-only extensions? In that case it does provide some
    > > security value- unless you feel that overflows in SMTP verbs aren't that
    > > big a security deal...
    > But those could be stopped by a ESMTP speaking defensive proxy as well.

    Which doesn't mean the downgrade wouldn't be protective.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: Default SMTP virtual server "Current Connections" Stuck
      ... I found an SMTP test utility that did the same thing as the scanner and this ... "Your Exchange server is running ESMTP and not SMTP. ...
    • Re: Default SMTP virtual server "Current Connections" Stuck
      ... server that supports ESMTP will also support the standard SMTP verbs. ... you telnet to your Exchange server, you can issue either a HELO or an EHLO ... The problem, as was pointed out, is that your scanner ... "Your Exchange server is running ESMTP and not SMTP. ...
    • Re: Branch office exchange installation
      ... EHLO signifies support for the extended version of SMTP, ESMTP. ... It has more features than the original SMTP such as extensions for size of ...