2.2.15: SMTP submission server?

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Mon Nov 17 08:04:33 UTC 2014

Hash: SHA1

On Mon, 17 Nov 2014, Ron Leach wrote:

> Let me list the approach we'd prefer:
> (i) MTA open on port 25 for inbound email.
> (ii) MTA not open on any other port, because (for example, our) MTAs are 
> constantly faced on port 25 with password attacks, malformed packets,

OK: You've been hacked through SMTP once, ...

> (iii) Users who are logged in to Dovecot (ie, authorised by Dovecot, so not 
> authorised by any software which is subject of attack and which will be 
> compromised from time to time) able to submit outbound messages through 
> Dovecot on the internal network to an MTA which will only relay from the 
> internal network.

... now you try yet another product with exactly the same problem;
your IMAP/POP servers are attacked as well. And most systems do not
separate IMAP and SMTP passwords.

> (iv) No use of STARTTLS; all client messaging to be secure at and from the 
> point of protocol initiation.  SSL=required, in terms of the Dovecot conf.

Personally, I do not think that is more secure.

> Off topic for Dovecot list, but I might think instead about separate inbound 
> and outbound MTAs to achieve containment of inbound MTA compromise.

I believe this approach is the best way for you concerns anyway.
Make this separate server inbound only on port 587, no other services.
You could combine it with an almost instantly sync of users which are
logged in via IMAP/POP in Dovecot incl. IP and allow any requests for
those user/IP combinations. Sort of: SMPT-after-POP but with SMTP auth
and all. Or open IPs only after IMAP/POP-Login succeeded. Or ...

- -- 
Steffen Kaiser
Version: GnuPG v1.4.11 (GNU/Linux)


More information about the dovecot mailing list