RE: SMTP Service in private DMZ OK?
Matthew.van.Eerde_at_hbinc.com
Date: 01/30/04
- Next in thread: Matthew.van.Eerde_at_hbinc.com: "RE: SMTP Service in private DMZ OK?"
- Maybe reply: Matthew.van.Eerde_at_hbinc.com: "RE: SMTP Service in private DMZ OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: sevans@foundation.sdsu.edu, focus-ms@securityfocus.com Date: Fri, 30 Jan 2004 12:33:57 -0800
> Who is "that user" that you refer to?
>
> If your talking about the mail from: address then so what?
Agreed.
> If your talking about the rcpt to: address then so what? Would you
> prefer that the SMTP service reject that address right then and there,
> making it even easier to find out what a valid address is?
There are many good reasons to reject invalid RCPT's at the protocol level
rather than creating an after-the-fact undeliverable report:
1) saving of bandwidth by not having to receive the DATA phase
2) saving of virus/spam scanning
3) The responsibility of reporting the undeliverable to the sender remains
with the sending MTA, instead of being shifted onto the receiving MTA
The reasons to accept invalid RCPT's are less convincing and are akin to
security-by-obscurity
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Next in thread: Matthew.van.Eerde_at_hbinc.com: "RE: SMTP Service in private DMZ OK?"
- Maybe reply: Matthew.van.Eerde_at_hbinc.com: "RE: SMTP Service in private DMZ OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
