Re: Blocking port 25 outbound

[Information Security <infosecurity () UTPA EDU>]

Michael Grinnell wrote:

>   Also, it helps to set up SMTP AUTH first.  That way, your users can
> set their email programs to always use your outbound mail server, and
> they won't have to keep changing their outbound mail server when they
> move on and off campus.

agreed, although an alternative trick is to have a split DNS.  You can
have thousands of hosts
with proper names in your internal DNS but just a key few visible to the
world, such as "www",
"mail", "smtp", etc.  (Bind 9 does this quite easily.  Dunno about other
DNS servers.)

anyway the trick there is that

1) you use a different name for MX hosts than you do for machines which your
clients connect to (eg incoming MX points to "spamfilter.univ.edu" but
clients
send SMTP mail through "smtp.univ.edu")

2) you have a SMTP host for 'outside' clients which has the same name as for
inside, but which insists on SMTP AUTH whereas the internal one takes
connections
from anyone with a valid IP in your own subnets. (i.e internal IPs see
the open
server as "smtp.univ.edu" but external hosts see the auth-configured
server when
they access that name)  [And yes, you can configure one server to do both
roles; I'm just a big believer in keeping functions separate; especially
when you
can trivially configure a "user mode linux" virtual server to take on a
lightweight
role like an smtp-auth server which won't get much load - keeping them
separate
simplifies configuration tremendously]

3) You block access from off-campus to all SMTP servers *except* your
MX hosts for incoming mail, and your SMTP AUTH server for outgoing
mail from your road warriors.

G