2.2.15: SMTP submission server?
Robert Schetterer
rs at sys4.de
Thu Nov 27 08:35:15 UTC 2014
Am 27.11.2014 um 08:17 schrieb Steffen Kaiser:
> On Wed, 26 Nov 2014, Mark Homoky wrote:
>> On 17/11/2014 07:23, Ron Leach wrote:
>>> On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered):
>>>> Am 16.11.2014 um 02:24 schrieb Reindl Harald:
>>>
>>> Off topic for Dovecot list, but I might think instead about separate
>>> inbound and outbound MTAs to achieve containment of inbound MTA
>>> compromise.
>
> @Ron: This seems to be the most sensible option for your concerns
> anyway, but with a well-known MSA. The inbound MTA need not advertise
> its existance to the web and, if port 587 is the only one, you could
> bann port probes, because few attackers will start with port 587.
>
>> As Reindl said switch off SASL on port 25 (hence in the SMTP
>> conversation following the ehlo line, the client isn't even offered
>> AUTH and hence the chance to login to try to relay).
> [cut]
>> You really can't get stronger mail injection than using the standard
>> submission port only accepting AUTH via TLS encrypted connections on
>> port 587
>
> If both port 25 and port 587 are open on the same server, is there any
> statitic about how much attackers probe port 25 before 587 and if
> disabling AUTH on port 25 helps at all in that case?
at my site, brute force is done on both ports, typical search for weak
passwords, so no cure having submission only for mail clients ( but for
sure this should be state of art )
but in most cases its like
submission/smtpd[27698]: warning: unknown[...]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
this maybe related to have autoconfig/autodiscover up and running
for all domains,forgotten and/or missconfigured (typos) on mobile
clients etc, so someone may argue this isnt a good idea in case of security
Looking to all my servers, over the time, all types of hacking on all
ports are done, in case of mail it might be a good idea to have i.e
fail2ban etc to cover sasl logins, as alternative you may have a look at
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
Most advance in having submission seperate ( whatever software ) , is
the chance to have other restrictions enabled ( more easy ), typical i.e
you do postscreen on port 25 , and may use other policies for older
mail clients at submission
To be honest, i dont understand discussions about security and upcomming
dovecot SMTP submission server as long it has no bugs and same advanced
config options i.e like postfix submission, after all everyone is free
to use it or not.
>
> -- Steffen Kaiser
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list