|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Filtering incoming SMTP "from" your domain via SS
Ditto that. There might be users 'out there' who need to send from outside to internal identities using a 'from' of their own internal identity. If the original lockdown described is implemented, things just won't work. In point of fact the real issue is that 'from' addresses are totall arbitrary and easy to forge, so implementing any rules that *allow* access based on them is a bad idea. The best thing to either: - Get them VPN access to the SMTP box, with that VPN access doling out a local IP address, so the SMTP box will in turn let them in. - Set up some kind of webmail thing, preferably accessible only through a VPN, publicly-accessible if you have *no* other choice. And if the end user doesn't like those two, well, they can send email from home using their home address. There has to be a line somewhere. :) -----Original Message----- From: David Gillett [mailto:[email protected]] Sent: Tuesday, June 04, 2002 1:36 PM To: [email protected] Subject: Re: [FW-1] Filtering incoming SMTP "from" your domain via SS 1. Several of the large dial-up ISPs do not allow port 25 (SMTP) connections by clients to any but the ISP's own mail servers. This prevents spammers from using their dial-up services to reach and abuse unprotected relay servers. It also prevents your dial-up users from relaying via your SMTP server. 2. Rather than allow relaying for a longish list of static external addresses, my preference is to equip remote users to connect via VPN, and from there they can use the SMTP server as if they were on-site. DG -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Marlo Montanaro Sent: Tuesday, June 04, 2002 10:37 AM To: [email protected] Subject: Re: [FW-1] Filtering incoming SMTP "from" your domain via SS We have remote users (usually from their home computers) who like to be able to reply to messages, or send new messages, and have everything look as if the email came from the company mail server. Additionally, all of our outgoing email is scanned for viruses (which cannot be guaranteed from any remote user). Because of the above scenario, it is not possible to have our remote users use their ISP's mail server as an outgoing mail server for company email. As a result, remote users are sending mail (sometimes to our domain) that appear to be coming from our domain- since they actually are from our domain, and also relaying off of our mail server to other domains so emails appear to come from a company email address (the nice part here is the outgoing virus scanning). The downside of this is that, since we have relay turned off from the outside, we have to explicitly allow users in by entering them into the mail server configuration as allowed. This means they have to have a static IP address or static hostname. In reality, many cable-modem subscribers, although they have DHCP addresses, have the same IP address for months or years- so it is not hard to keep up with. It is only the dial-up users who have a problem (it is unusable for them, in reality). Marlo -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Coleman, Clayton Sent: Tuesday, June 04, 2002 11:20 AM To: [email protected] Subject: [FW-1] Filtering incoming SMTP "from" your domain via SS Here's the scenario: We block all incoming mail not destined for our mail domains (to block relay) but we are also considering not allowing people to deliver mail to us that appear to come from our domain. Confusing? Simply put, should we allow someone from the Internet to deliver to our SMTP server "From: [email protected]" "To: [email protected]" since all mail from foxboro.com should come from internal? What would be the downsides of blocking someone from the Internet who tries to do that? And, can we do that in a resource...? I only think it works for the destination domain, not the source domain of the email. Thanks much. Clayton ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
