|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrew Long (fursink
gmail.com)
Date: Thu Feb 28 2008 - 18:41:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Feb 28, 2008 at 12:05 PM, Jorey Bump <listjoreybump.com> wrote:
> Andrew Long wrote, at 02/28/2008 10:41 AM:
>
> > On Wed, Feb 27, 2008 at 12:43 PM, Jorey Bump <listjoreybump.com> wrote:
> >>
>
> >> If you're proxying port 25, reconsider. It puts your guests at risk of
> >> exposing login information when they attempt to authenticate using
> >> existing configurations in their email clients. Blocking port 25
> >> completely is reasonable in your situation, as long as guests can use
> >> port 587 or webmail (once again, not proxied in any way).
> >>
> >
> > What are implications of closing port 25 from the public in terms of
> > other MTX knowing how to communicate back with our MTX?
>
> None, as long as you're only blocking outgoing port 25 connections.
> There's no reason your guests would need to directly connect to your MX
> (assuming that's what you meant), and there's no need to block incoming
> connections to your MX on port 25 (beyond the usual spam prevention).
Actually, I closed port 25 on the MTX via master.cf,
#smtp inet - n - - ....
submission inet - n --...
...and also on our incoming PIX.
I figured if I block 25 outgoing on the hotspot gateway our guests who
use 25 to connect to their own servers would be blocked also.
> > I understand
> > 587 is standard alt port, but what about changing to something
> > non-standard?
>
> It's not for you, it's for your guests to connect to at their own ESPs
> that offer submission via port 587. For those that don't, there is
> usually a webmail alternative.
>
> It's hard to advise without knowing the reasoning behind offering an
> SMTP relay to wireless hotspot hotel guests. If this is really for
> internal purposes, not for guests, you can certainly use a nonstandard
> port. But for an open relay (even restricted to a subnet), this is
> merely security through obscurity, so you'll want to restrict access
> however possible.
Yes, it is really for guests. The corporate side has a totally different setup.
> It sounds like your biggest threat is that you have little control over
> the machines that join your wireless network.
YES!
> In that situation, I'd be
> very reluctant to supply an open relay, especially since most users are
> unlikely to use it in place of their own ESP.
No choice, it's a mandate from on high. But, it honestly doesn't see
that much traffic, except when a laptop is infected and my MTX is
blacklisted. The downside is that the host also needs to send some
legit mail from a local monitoring package. If it's blacklisted, that
mail has an uphill battle.
I am most curious how some of the gurus would handle this.
- Andrew
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]