SMTP Security for Roaming Users
Hi all,
We used to arrange our mobile users to use VPN to access our MS (2005Q4) server so that they can use it as a relay to send mail to external email addresses when they are roaming. The server is configured so it allows mail relay from internal (VPN) IP addresses so that it still protects us from external spammers from using it as an open relay.
That works well for some time. However, it has 2 disadvanges:
1. Users must first setup setup a VPN before getting mail, and that's a support nightmare
2. Sending email this way allows any internal and VPN users to forge sender envelop address
So I'm thinking the following:
1. Enable SMTPS (to avoid the VPN stuff)
2. Configure MS to require authentication for both SMTP and SMTPS for senders who uses @ourdomain.com email address in the envelop. And at the same time, match that envelop sender address with the authenticated user to see if they match.
I have already done point #1. But #2 seems so complicated. Please advice if I am thinking in the correct direction. Is there a simpler way to archieve that?
Any ideas are welcome.
Thanks.
BR,
Py
[1190 byte] By [
e-jing] at [2007-11-26 9:51:42]
# 1
It sort of depends on exactly what your goals are, what to configure.
By default, Messaging Server will require any external ip address to authenticate when it's sending mail outside your internal domain. You don't have to do anything to get this.
TLS, or secure smtp on another port is also available, pertty easily. And reasonably documented.
Personally, I have strong doubts about how useful encrypted smtp is, as server to server traffic is all plain text, without any security......
My system uses simple authenticated smtp for my external users. Most clients are easy to set up for this, and the server does it by default.
# 2
Hi,
SMTPS is definitely a good idea for roaming users. If you are going to be requiring authentication then you want the authentication details to be encrypted.
> 2. Configure MS to require authentication for both SMTP and SMTPS for senders who uses @ourdomain.com email address in the envelop. And at the same time, match that envelop sender address with the authenticated user to see if they match.
This seems complex to me and is going to cause issues for users who send emails via their ISP's server to your work-place when working from home. Requiring authentication for the SMTPS connection is a good idea and that can be accomplished just by associating the TLS port with the SMTP_SUBMIT service (instead of just SMTP):
[SERVICE=SMTP_SUBMIT]
PORT=587
! Uncomment the following line if you want to support SSL on the alternate
! port 465
TLS_PORT=465
You should also enable the logging of the username used when authenticating by adding the following line to the option.dat file:
LOG_USERNAME=1
That way if there is a user who 'spoofs' their email address, you know who they are (by the username), the IP address they came from and who they were pretending to be. This should act as sufficient deterrent.
Shane.
