|
exchange
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Outbound SMTP Port 25Hi,
I just read an article that claimed there are benefits to blocking out bound SMTP port 25. Does anyone have real world experience pro's and con's? Thanks On Thu, 23 Mar 2006 16:39:01 -0800, Gene
<G***@discussions.microsoft.com> wrote: >Hi, Blocking it to whom?>I just read an article that claimed there are benefits to blocking out bound >SMTP port 25. Does anyone have real world experience pro's and con's? >Thanks Many organizations control inbound traffic tightly at the perimeter, but
allow unrestricted outbound access to hosts on the trusted/internal network. - Only authorized mail servers should be able to get out on SMTP to the * world. - If using a smtp host in the DMZ (or outsourced to an ISP), these hosts should only be able to send to the smarthost. - One result of locking down SMTP - if there are rogue SMTP servers inside the organization or servers/client PCs infected with malicious code that uses its own SMTP engine to send spam or viruses, such messages will not get out to the internet. - SMTP connections to Exchange SMTP virtual servers can and should also be controlled - clients (using Outlook) do not need to use SMTP to send mail. Only allow other SMTP hosts in the Org that need to have SMTP connectivity. -- Show quoteBharat Suneja MCSE, MCT www.zenprise.com blog: www.suneja.com/blog ----------------------------------------- "Gene" <G***@discussions.microsoft.com> wrote in message news:0ABBDA67-8873-413F-98AE-A63161BEAFF3@microsoft.com... > Hi, > I just read an article that claimed there are benefits to blocking out > bound > SMTP port 25. Does anyone have real world experience pro's and con's? > Thanks On Thu, 23 Mar 2006 17:10:39 -0800, "Bharat Suneja"
<bharatsuneja@no.spam.org> wrote: Show quote >Many organizations control inbound traffic tightly at the perimeter, but Unfortuantely, that sounds good, but reality is in a large>allow unrestricted outbound access to hosts on the trusted/internal network. >- Only authorized mail servers should be able to get out on SMTP to the * >world. >- If using a smtp host in the DMZ (or outsourced to an ISP), these hosts >should only be able to send to the smarthost. >- One result of locking down SMTP - if there are rogue SMTP servers inside >the organization or servers/client PCs infected with malicious code that >uses its own SMTP engine to send spam or viruses, such messages will not get >out to the internet. >- SMTP connections to Exchange SMTP virtual servers can and should also be >controlled - clients (using Outlook) do not need to use SMTP to send mail. >Only allow other SMTP hosts in the Org that need to have SMTP connectivity. organization or bank or places with unix installations, its virtually impossible to lock that down. Difficult, yes.
Nevertheless, if security is a concern, and at banks and financial institutes it should be, I would certainly advocate this approach. -- Show quoteBharat Suneja MCSE, MCT www.zenprise.com blog: www.suneja.com/blog ----------------------------------------- "Andy David - MVP" <ada***@pleasekeepinngcheesebucket.com> wrote in message news:uvj622pvb6kefbolo3c557ckgqc22t1fkr@4ax.com... > On Thu, 23 Mar 2006 17:10:39 -0800, "Bharat Suneja" > <bharatsuneja@no.spam.org> wrote: > >>Many organizations control inbound traffic tightly at the perimeter, but >>allow unrestricted outbound access to hosts on the trusted/internal >>network. >>- Only authorized mail servers should be able to get out on SMTP to the * >>world. >>- If using a smtp host in the DMZ (or outsourced to an ISP), these hosts >>should only be able to send to the smarthost. >>- One result of locking down SMTP - if there are rogue SMTP servers inside >>the organization or servers/client PCs infected with malicious code that >>uses its own SMTP engine to send spam or viruses, such messages will not >>get >>out to the internet. >>- SMTP connections to Exchange SMTP virtual servers can and should also be >>controlled - clients (using Outlook) do not need to use SMTP to send mail. >>Only allow other SMTP hosts in the Org that need to have SMTP >>connectivity. > > > Unfortuantely, that sounds good, but reality is in a large > organization or bank or places with unix installations, its virtually > impossible to lock that down. On Thu, 23 Mar 2006 18:38:03 -0800, "Bharat Suneja"
<bharatsuneja@no.spam.org> wrote: >Difficult, yes. lol.> >Nevertheless, if security is a concern, and at banks and financial >institutes it should be, I would certainly advocate this approach. Having worked at those places I can tell you why it aint gonna happen. Sendmail Server A has permissions to access the VS. Sendmail Server B does not. Sendmail Server B relays its mail through Sendmail Server A and the messages are allowed through. Unless you spend your days parsing through SMTP logs, you'll never know its going on. When you work at an instituion with 50,000 users and thousands of different groups or something similar, security has to be weighed with reality. For a small to medium shop, its a much easier prospect. Any decent WS-based anti-virus program will block outbound SMTP from that
WS. Andy David - MVP <ada***@pleasekeepinngcheesebucket.com> wrote in Show quote news:uvj622pvb6kefbolo3c557ckgqc22t1fkr@4ax.com: > On Thu, 23 Mar 2006 17:10:39 -0800, "Bharat Suneja" > <bharatsuneja@no.spam.org> wrote: > >>Many organizations control inbound traffic tightly at the perimeter, >>but allow unrestricted outbound access to hosts on the >>trusted/internal network. - Only authorized mail servers should be >>able to get out on SMTP to the * world. >>- If using a smtp host in the DMZ (or outsourced to an ISP), these >>hosts should only be able to send to the smarthost. >>- One result of locking down SMTP - if there are rogue SMTP servers >>inside the organization or servers/client PCs infected with malicious >>code that uses its own SMTP engine to send spam or viruses, such >>messages will not get out to the internet. >>- SMTP connections to Exchange SMTP virtual servers can and should >>also be controlled - clients (using Outlook) do not need to use SMTP >>to send mail. Only allow other SMTP hosts in the Org that need to have >>SMTP connectivity. > > > Unfortuantely, that sounds good, but reality is in a large > organization or bank or places with unix installations, its virtually > impossible to lock that down. On Fri, 24 Mar 2006 06:31:02 -0800, "Asher_N" <compguy***@hotmail.com> Its not the workstations you typically have to worry about.wrote: >Any decent WS-based anti-virus program will block outbound SMTP from that >WS. Show quote > >Andy David - MVP <ada***@pleasekeepinngcheesebucket.com> wrote in >news:uvj622pvb6kefbolo3c557ckgqc22t1fkr@4ax.com: > >> On Thu, 23 Mar 2006 17:10:39 -0800, "Bharat Suneja" >> <bharatsuneja@no.spam.org> wrote: >> >>>Many organizations control inbound traffic tightly at the perimeter, >>>but allow unrestricted outbound access to hosts on the >>>trusted/internal network. - Only authorized mail servers should be >>>able to get out on SMTP to the * world. >>>- If using a smtp host in the DMZ (or outsourced to an ISP), these >>>hosts should only be able to send to the smarthost. >>>- One result of locking down SMTP - if there are rogue SMTP servers >>>inside the organization or servers/client PCs infected with malicious >>>code that uses its own SMTP engine to send spam or viruses, such >>>messages will not get out to the internet. >>>- SMTP connections to Exchange SMTP virtual servers can and should >>>also be controlled - clients (using Outlook) do not need to use SMTP >>>to send mail. Only allow other SMTP hosts in the Org that need to have >>>SMTP connectivity. >> >> >> Unfortuantely, that sounds good, but reality is in a large >> organization or bank or places with unix installations, its virtually >> impossible to lock that down.  |
|||||||||||||||||||||||
Other interesting topics