2.2.15: SMTP submission server?

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 26 Nov 2014, Mark Homoky wrote:
> On 17/11/2014 07:23, Ron Leach wrote:
>> On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered):
>>> Am 16.11.2014 um 02:24 schrieb Reindl Harald:
>> 
>> Off topic for Dovecot list, but I might think instead about separate 
>> inbound and outbound MTAs to achieve containment of inbound MTA compromise.

@Ron: This seems to be the most sensible option for your concerns anyway, 
but with a well-known MSA. The inbound MTA need not advertise its 
existance to the web and, if port 587 is the only one, you could bann port 
probes, because few attackers will start with port 587.

> As Reindl said switch off SASL on port 25 (hence in the SMTP conversation 
> following the ehlo line, the client isn't even offered AUTH and hence the 
> chance to login to try to relay).
[cut]
> You really can't get stronger mail injection than using the standard 
> submission port only accepting AUTH via TLS encrypted connections on port 587

If both port 25 and port 587 are open on the same server, is there any 
statitic about how much attackers probe port 25 before 587 and if 
disabling AUTH on port 25 helps at all in that case?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHbQIXz1H7kL/d9rAQLPRQf+P6PQeJ/A1Ht4/f3ulQr2RceeLwQVkdZu
tozkdSOrAs3kynbv0f32axgPy1pZIE2VS4mgFPjBKm3fYDSZMM34NqbNGy+v7vrq
FNHDLjTOUusYrXcU57TWWdA8uOBLcfrWemLcnlq75ziELqEBqOtrBpfuYVdN9DB8
927V6Q5To5rTLvul3ZzK+V0YSUu7fkXl9sgHUYpbbtyengUVDYDSL+tQUGhYT5ob
Mc/KDP5ZNek956etjMWgrCl1XbMKJdRRi6ZWvdVU7+W8aQkrXErdRp69fgRMTwk2
TNWD+9gN5XMBjZL/ZTIDz2Pi70gQaKDVGeyXD0ALUAmJpIFBoGwrlw==
=XrHX
-----END PGP SIGNATURE-----