Re: Microsoft SMTP Service

From: Rich Wilson (wk633@yahoo.com)
Date: 07/26/01


Message-ID: <20010725224526.40397.qmail@web12302.mail.yahoo.com>
Date: Wed, 25 Jul 2001 15:45:26 -0700 (PDT)
From: Rich Wilson <wk633@yahoo.com>
Subject: Re: Microsoft SMTP Service
To: Matthew.Tim@cantire.com, focus-ms@securityfocus.com

In SMTP properties, Access, Connection, restrict access to specific IPs.
Configure your firewalls to only allow outbound SMTP
(that is, internal->DMZ->external, not the other direction)

You should be safe to let SMTP out. Certainly letting your web server relay
SMTP, as long as it only goes in one direction, is safer than the HTTP server
part of its job. Between your external firewall filtering, and access
restriction on the Web server/mail relay, you should be safe from external
connections. Your internal firewall should keep you safe from a compromised
Web server/mail relay being a jump poing to your internal network.

I'm pretty sure that IIS SMTP service uses TCP for DNS (NOT UDP). At least,
that's the Admin at my workplace says. If you use external, as opposed to DMZ
DNS servers, you may need to let your web server make outbound TCP DNS queries.
 That shouldn't be a big risk either.

--- Matthew.Tim@cantire.com wrote:
> Hello all,
>
> Has anyone used the MS SMTP service on an IIS web server? Are there any
> security risks associated with this if the server is sitting in a DMZ and
> will be using this to send mail out to an external mail domain? Any help
> here would be appreciated.
>
> MT
>

=====
: __o
: -\<,
: 0/ 0

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/



Relevant Pages

  • web server always though smtp send e-mail to other people
    ... I don't know why my web server always thougth smtp send e- ... I install IIS 4.0 but not include SMTP service. ... I block the smtp service though the firewall. ... But my website always stop studdenly. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ANN: Basil -- Internet Message (email) and MIME library for Ada v 1.0
    ... I think you are confused about how mail systems typically work. ... only thing that typically needs to serve as an SMTP *client* or do ... If you want to integrate with the customer's web server, ... has always been an extremely polite and insightful poster, and never a troll ...
    (comp.lang.ada)
  • RE: Microsoft SMTP Service
    ... Subject: Microsoft SMTP Service ... > web server relay ... you may need to let your web server make ...
    (Focus-Microsoft)
  • RE: Microsoft SMTP Service
    ... Subject: Microsoft SMTP Service ... There are a number of tricks used to bypass relay restrictions. ... you may need to let your web server make ...
    (Focus-Microsoft)
  • Re: ANN: Basil -- Internet Message (email) and MIME library for Ada v 1.0
    ... I think you are confused about how mail systems typically work. ... only thing that typically needs to serve as an SMTP *client* or do ... If you want to integrate with the customer's web server, ... not to offend *you* but I've not seen any evidence ...
    (comp.lang.ada)