Firewall and NAT

Paul Howarth paul at city-fan.org
Tue Nov 2 09:00:39 UTC 2004 

On Mon, 2004-11-01 at 18:55, Leonard Isham wrote:
> I suspect that these are the reasons sendmail.org recommends firewalling MSA:
> 
> Meant to be less strict on standards compliance
>     * Addresses don't have to be fully qualified
>     * Hostnames don't have to be fully qualified
>     * Don't require "required" headers, e.g. Message-ID: and Date: 

Having thought about this overnight, I've come to the conclusion that
the advice on firewalling off the MSA port is to prevent opening up what
is effectively a "second MTA" that could be tried by spammers/viruses
etc. when attempting to deliver mail to domains handled by that mail
server, i.e. to try to avoid spam/virus checkers that could be running
on the MTA but probably not on the MSA. Sendmail's default configuration
creates an MSA that does the same job that the MSP (Message Submission
Program) does for locally-generated mail, i.e. fully-qualifying
addresses, hostnames etc. as you mentioned above, in preparation for
sending mail out on to the Internet. However, it does nothing to prevent
any external client from connecting to it and using it to present mail
for local delivery. Hence the advice of firewalling it off from external
clients. However, there is another way to prevent this, i.e. by setting
up the MSA with the "a" daemon flag, like this:

FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

The "a" flag makes the MSA require authentication from any client
connecting to it. This is how to ensure that only genuine roaming users
with the right username/password can access the MSA, without leaving it
open to anybody attempting local delivery. This setup allows roaming
users to always use the same mail sending settings in the mail clients,
which will work from wherever they are, even ISPs that block outbound
port 25.

The Security Considerations section of the Message Submission RFC
(http://www.faqs.org/rfcs/rfc2476.html - see section 9), appears to
support this viewpoint:

   Separation of submission and relay of messages can allow a site to
   implement different policies for the two types of services, including
   requiring use of additional security mechanisms for one or both.  It
   can do this in a way which is simpler, both technically and
   administratively.  This increases the likelihood that policies will
   be applied correctly.

   Separation also can aid in tracking and preventing unsolicited bulk
   email.

   For example, a site could configure its MSA to require authentication
   before accepting a message, and could configure its MTA to reject all
   RCPT TOs for non-local users.  This can be an important element in a
   site's total email security policy.

   If a site fails to require any form of authorization for message
   submissions (see section 3.3 for discussion), it is allowing open use
   of its resources and name; unsolicited bulk email can be injected
   using its facilities.

Paul.
-- 
Paul Howarth <paul at city-fan.org>

More information about the fedora-list mailing list