RE: Microsoft SMTP Service

From: Kundera (kundera@onebox.com)
Date: 07/25/01 

Date: Wed, 25 Jul 2001 14:58:51 -0700
Subject: RE: Microsoft SMTP Service
From: "Kundera  " <kundera@onebox.com>
To: focus-ms@securityfocus.com
Message-Id: <20010725215852.CHRV3258.mta06.onebox.com@onebox.com>

A better way is to use logic in your pages that allows you to populate
the from field (I usually use CDONTS). Actually, I've never used anything
that doesn't allow this, so I'm not really sure why you'd want to go
to the trouble of swapping headers when you can do it better and easier
programmatically.

As for the SMTP server itself, if you don't *really* need it, don't install
it. This is true of anything on any server, especially those visible
to the outside world. What's probably a better idea is to use an SMTP
server in your LAN that's already secure. Block all 25/tcp to your IIS
server, and open up 25/tcp from your IIS machine to your secure server.
 Good firewall policies and planning usually prevent you from having
to do odd things like stripping headers.

Kundera

-----Original Message-----
From: Colin Stefani [mailto:cstefani@tideworks.com]
Sent: Wednesday, July 25, 2001 4:42 PM
To: 'Matthew.Tim@cantire.com'; focus-ms@securityfocus.com
Subject: RE: Microsoft SMTP Service

[snip]
 
The only thing I've expressed concern about is display of internal host
names when sending. The best solution, for my networks, has been to relay
the mail through a Sendmail proxy which is configured to strip outbound
headers from the web farm machines and replace them with its own. That
way receiving hosts get mail from a known MX source (one that's listed
in DNS records) and any bouncing mail comes back either to the reply-to,
from, or host address, all of which will route back to a real mailbox.

-cs-

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

Relevant Pages