Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/06/05

  • Next message: Hammerle, Tye: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 6 Jul 2005 22:57:30 +0530
    
    

    On 06/07/05 08:51 -0400, Paul D. Robertson wrote:
    > On Tue, 5 Jul 2005, David M. Nicksic wrote:
    >
    > > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
    > > Postini is employed. I want to deny all SMTP traffic unless it comes from
    > > one of the Postini servers. Can the PIX be configured to accomplish this?
    > >
    >
    > Almost any firewall can, however you'll be out of e-mail if the provider
    > has to put up a new server because of an attack, failure, problem or
    > address change. It's probably better to configure your mail server to
    > reject based on forward/reverse lookups, since you're dealing with one
    > zone, you'll be able to cache the lookups pretty well.
    >
    I would ask Postini for the network where their recipient verificaion
    will come from. Then allow connections to port 25 of my mailserver from
    only that subnet, and block everything else.

    > Note that Postini rejects mail if your server isn't reachable by it- so
    > it's not all that resilient if you're under attack or having server
    > issues[1]. Personally, I'd rather run Mailscanner on a Postfix instance
    > than outsource something as critical as e-mail.

    Ugh. Mailscanner is known to be unsafe with Postfix and can cause mail
    loss. Use amavisd-new instead.

    As I understand it, Postini should cache recipient information, so you
    will have a slightly better chance if your server goes under attack. I
    concur with Paul's suggestion, though I would recommend Postfix +
    Amavisd-new + Clamav + SpamAssassin on your Unix of choice.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Hammerle, Tye: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"

    Relevant Pages

    • Re: How to login user automatically? (for IP Filter firewall)
      ... > So you want to respond to an attack by closing off ports when an attacker ... > the latest MS-IIS, MS SQL Server or MS RPC vulnerability, so firewalls ... But this particular box only lives to be a firewall for my ... assault without a true security breach incident for nearly 2 years now. ...
      (comp.unix.bsd.freebsd.misc)
    • Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)
      ... Firewalls that support FTP without fully reassembling the FTP ... This attack uses partial segment acknowledgement to cause the victim ... Connect to FTP server and log on ... a vulnerable firewall will pick up the "227.." ...
      (Bugtraq)
    • [fw-wiz] Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)
      ... Firewalls that support FTP without fully reassembling the FTP ... This attack uses partial segment acknowledgement to cause the victim ... Connect to FTP server and log on ... a vulnerable firewall will pick up the "227.." ...
      (Firewall-Wizards)
    • RE: Brute force attack on SQL server: Login failed for user sa !
      ... I'll see if I can get a good firewall to do this job, ... The first is to block access to the SQL server entirely, ... second is to block access from the addresses spawning the attack. ...
      (microsoft.public.sqlserver.security)
    • Re: [SLE] Hacker attempts during installation
      ... >> firewall is on by default now, and you can updatebefore the machine is even ... maybe ONE attack attempt on a server I was using. ... they launch a dictionary attack on it. ... > Check the headers for your unsubscription address ...
      (SuSE)