Sender Spoofing via SMTP

• Previous message: barcajax_at_gmail.com: "Re: Fiber Taps"
• Next in thread: jlopez2k5_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: jlopez2k5_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: jalbuquerque_at_northkingstown.org: "Re: Sender Spoofing via SMTP"
• Maybe reply: Tim Ballingall: "RE: Sender Spoofing via SMTP"
• Maybe reply: Craig Wright: "RE: Sender Spoofing via SMTP"
• Maybe reply: brandon.steili_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: Craig Wright: "RE: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Reply: Tomasz Nidecki: "Re: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 5 Nov 2005 05:06:49 -0000
To: security-basics@securityfocus.com

Thanks again for all the responses, I think everyone's contributed to me getting this far with my plan - Here's roughly what I've got in mind until the proxy or something to that effect can be placed in front of the exchange box(s). Please feel free to comment on the validity of the setup and any concerns you may have. I'm not yet an Exchange Guru so rake me over the coals as needed =) --- again thanks for all the help!!!

The first system is running Windows Server 2003 w/ Exchange 2003 behind a NAT/PAT device. Server is also dual homed. Using a dual homed host would allow us to separate inbound traffic from internal traffic.

Hostname (internet DNS) - smtp.foo.com - internal IP addresses 192.168.1.10 & 192.168.1.11

The server is configured with 2 SMTP virtual servers (VS), each one on port 25, one VS for each address. 192.168.1.10 (VS1) is internet facing the second 192.168.1.11 (VS2) will connect to the internal server(s). All traffic from the internet would be sent to smtp.foo.com, which intern would come to the 192.168.1.10 address. We allow anonymous connections to this VS, but perform reverse DNS lookups on incoming messages, and also apply a sender filter for *.foo.com that way even though we are not stopping the outside from connecting via telnet, they cannot spoof an internal address (since we are filtering that) and they cannot spoof a bogus domain since we look for that too. Exchange 2003 already prevents relaying to external domains as previously suggested, thanks for making me check though! The second VS could now be configured to speak only to the backend server(s) and ignore all other traffic from other systems (ie client desktops).

Inside the firewall
Hostname (internal DNS) - exch1.foo.com - internal IP address 192.168.2.10
Any and all internal SMTP Virtual servers get configured slightly differently. These Virtual servers do not require the filter, no reverse DNS lookup and should be configured to require Integrated Windows authentication, which will prevent anyone from conecting via Telnet to the internal exchange boxes and sending a spoofed email -- Insert spoofed pink slip from the boss email here -- since once they try to do anything beyond a EHLO the connection gets dropped.

We could also configure an anonymous SMTP VS that would only allow connections from say a server vlan for any monitoring tools to communicate. Clients would connect via outlook (rpc), pop3, imap4 and since these clients authenticate would have no issues sending mail.

Does this sound like a pretty safe exchange setup besides the obvious 3rd party AV and things of that nature?

• Previous message: barcajax_at_gmail.com: "Re: Fiber Taps"
• Next in thread: jlopez2k5_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: jlopez2k5_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: jalbuquerque_at_northkingstown.org: "Re: Sender Spoofing via SMTP"
• Maybe reply: Tim Ballingall: "RE: Sender Spoofing via SMTP"
• Maybe reply: Craig Wright: "RE: Sender Spoofing via SMTP"
• Maybe reply: brandon.steili_at_gmail.com: "Re: Sender Spoofing via SMTP"
• Maybe reply: Craig Wright: "RE: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Reply: Tomasz Nidecki: "Re: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Maybe reply: Matt Stovall: "RE: Sender Spoofing via SMTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Using Exchange 2003 across two AD Sites ... I am planning to set up two new sites running Windows Server 2003 Standard ... edition and Exchange 2003 Server Standard edition. ... The overall intention of this install ... (microsoft.public.exchange.setup) Re: SBS 2003 Unresponsive ... The system stops responding during high disk activity on a computer ... that is running Windows Server 2003 ... I assume you're not trying to back up the Exchange Store during the ... the backup of drive C: conpleting and then starts the Exchange backup. ... (microsoft.public.backoffice.smallbiz) Zombie Accounts Exchange 2003 (Event ID 9551) ... I am running Windows Server ... 2003 with Exchange 2003 w/SP2. ... An error occurred while upgrading the ACL on folder PublicFolderName ... this is caused by latency in the Active Directory Service, if it does, ... (microsoft.public.exchange.admin) Re: Using Exchange 2003 across two AD Sites ... >I am planning to set up two new sites running Windows Server 2003 Standard ... >edition and Exchange 2003 Server Standard edition. ... you're not ready for that planning stage yet. ... (microsoft.public.exchange.setup)