-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 17 Nov 2014, Ron Leach wrote:
Let me list the approach we'd prefer:
(i) MTA open on port 25 for inbound email.
(ii) MTA not open on any other port, because (for example, our) MTAs are constantly faced on port 25 with password attacks, malformed packets,
OK: You've been hacked through SMTP once, ...
(iii) Users who are logged in to Dovecot (ie, authorised by Dovecot, so not authorised by any software which is subject of attack and which will be compromised from time to time) able to submit outbound messages through Dovecot on the internal network to an MTA which will only relay from the internal network.
... now you try yet another product with exactly the same problem; your IMAP/POP servers are attacked as well. And most systems do not separate IMAP and SMTP passwords.
(iv) No use of STARTTLS; all client messaging to be secure at and from the point of protocol initiation. SSL=required, in terms of the Dovecot conf.
Personally, I do not think that is more secure.
Off topic for Dovecot list, but I might think instead about separate inbound and outbound MTAs to achieve containment of inbound MTA compromise.
I believe this approach is the best way for you concerns anyway. Make this separate server inbound only on port 587, no other services. You could combine it with an almost instantly sync of users which are logged in via IMAP/POP in Dovecot incl. IP and allow any requests for those user/IP combinations. Sort of: SMPT-after-POP but with SMTP auth and all. Or open IPs only after IMAP/POP-Login succeeded. Or ...
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVGmsEnz1H7kL/d9rAQI/6ggAizgKj3eSpMlBLLV15B5oConMD8aLxLTM vVn94UmqPNGd8ZqBRM3t07pHT/JCiH4UYvzF5kIXAUQpWebIEit3KH0l/ZlMGd2B aulwvcuAnJpMoKI6zxiwXxedMec9CDjqImOOIHuOWlJtQcdgR3lOETjWsxtBHdKy Y6DJRlCP+VRlh/gS7+9msCDzvnfmINphhRDZT2wvUmHt7oK87ElpxpeWFvpBfxyY 46zOShXd04NEujlp/W1nEIXw7qPL9V1RUglzZfpSnxpdsLqPzCUSjCHD8MNQolDn Nii4p96/Vyxb0RptnMlHAH/tGUA2ead0+pWigCQS7eHok2NV0A6AHw== =BDPM -----END PGP SIGNATURE-----