2.2.15: SMTP submission server?

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Mon Nov 17 08:04:33 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 17 Nov 2014, Ron Leach wrote:

> Let me list the approach we'd prefer:
>
> (i) MTA open on port 25 for inbound email.
>
> (ii) MTA not open on any other port, because (for example, our) MTAs are 
> constantly faced on port 25 with password attacks, malformed packets,

OK: You've been hacked through SMTP once, ...

> (iii) Users who are logged in to Dovecot (ie, authorised by Dovecot, so not 
> authorised by any software which is subject of attack and which will be 
> compromised from time to time) able to submit outbound messages through 
> Dovecot on the internal network to an MTA which will only relay from the 
> internal network.

... now you try yet another product with exactly the same problem;
your IMAP/POP servers are attacked as well. And most systems do not
separate IMAP and SMTP passwords.

> (iv) No use of STARTTLS; all client messaging to be secure at and from the 
> point of protocol initiation.  SSL=required, in terms of the Dovecot conf.

Personally, I do not think that is more secure.

> Off topic for Dovecot list, but I might think instead about separate inbound 
> and outbound MTAs to achieve containment of inbound MTA compromise.

I believe this approach is the best way for you concerns anyway.
Make this separate server inbound only on port 587, no other services.
You could combine it with an almost instantly sync of users which are
logged in via IMAP/POP in Dovecot incl. IP and allow any requests for
those user/IP combinations. Sort of: SMPT-after-POP but with SMTP auth
and all. Or open IPs only after IMAP/POP-Login succeeded. Or ...

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVGmsEnz1H7kL/d9rAQI/6ggAizgKj3eSpMlBLLV15B5oConMD8aLxLTM
vVn94UmqPNGd8ZqBRM3t07pHT/JCiH4UYvzF5kIXAUQpWebIEit3KH0l/ZlMGd2B
aulwvcuAnJpMoKI6zxiwXxedMec9CDjqImOOIHuOWlJtQcdgR3lOETjWsxtBHdKy
Y6DJRlCP+VRlh/gS7+9msCDzvnfmINphhRDZT2wvUmHt7oK87ElpxpeWFvpBfxyY
46zOShXd04NEujlp/W1nEIXw7qPL9V1RUglzZfpSnxpdsLqPzCUSjCHD8MNQolDn
Nii4p96/Vyxb0RptnMlHAH/tGUA2ead0+pWigCQS7eHok2NV0A6AHw==
=BDPM
-----END PGP SIGNATURE-----

More information about the dovecot mailing list