Loading ...
Sorry, an error occurred while loading the content.

Re: Secure relay from specific internet host to internet

Expand Messages
  • Viktor Dukhovni
    ... When you say secure , what security mechanisms are acceptable? You could operate a TLS protected submission service that the other host can reach via
    Message 1 of 8 , Apr 18, 2013
    • 0 Attachment
      On Thu, Apr 18, 2013 at 04:31:41PM +0200, L.W. van Braam van Vloten wrote:

      > Could you please advise what would be the preferred, secure approach to
      > achieve this?

      When you say "secure", what security mechanisms are acceptable? You
      could operate a TLS protected submission service that the other host
      can reach via suitable SASL credentials or a TLS client certificate.

      Or as Ralf suggests you could just allow it to relay by its IP
      address. IP addresses change from time to time, but key management
      is not a bed of roses either.

      --
      Viktor.
    • Lucas van Braam van Vloten
      Hi, Thanks for your replies. I know how to allow relay by its IP address but I m just afraid that it would be easy to fake an up address and use my server as a
      Message 2 of 8 , Apr 18, 2013
      • 0 Attachment
        Hi,
        Thanks for your replies. I know how to allow relay by its IP address but I'm just afraid that it would be easy to fake an up address and use my server as a spam relay. I would prefer to combine this with some form of authentication. Would you happen to know a good manual for setting up SASL authentication or a client certificate?

        Thanks!
        Lucas

        Viktor Dukhovni <postfix-users@...> schreef:
        On Thu, Apr 18, 2013 at 04:31:41PM +0200, L.W. van Braam van Vloten wrote:

        Could you please advise what would be the preferred, secure approach to
        achieve this?

        When you say "secure", what security mechanisms are acceptable? You
        could operate a TLS protected submission service that the other host
        can reach via suitable SASL credentials or a TLS client certificate.

        Or as Ralf suggests you could just allow it to relay by its IP
        address. IP addresses change from time to time, but key management
        is not a bed of roses either.

        --
        Verzonden van mijn Android telefoon met K-9 Mail.
      • Noel Jones
        [please don t top-post. thanks.] ... While it s easy enough to spoof single IP packets, it s far more difficult to spoof a whole SMTP conversation. Listing an
        Message 3 of 8 , Apr 18, 2013
        • 0 Attachment
          [please don't top-post. thanks.]

          On 4/18/2013 11:09 AM, Lucas van Braam van Vloten wrote:
          > Hi,
          > Thanks for your replies. I know how to allow relay by its IP address
          > but I'm just afraid that it would be easy to fake an up address and
          > use my server as a spam relay.

          While it's easy enough to spoof single IP packets, it's far more
          difficult to spoof a whole SMTP conversation.

          Listing an IP in mynetworks is safe as long as you trust everybody
          at that IP, for some value of "trust".

          > I would prefer to combine this with
          > some form of authentication. Would you happen to know a good manual
          > for setting up SASL authentication or a client certificate?

          http://www.postfix.org/SASL_README.html
          http://www.postfix.org/TLS_README.html

          If you need more detailed instructions, ask for help on a forum
          specific to your OS.



          -- Noel Jones
        • L.W. van Braam van Vloten
          Hi, ... Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that. Thanks for the
          Message 4 of 8 , Apr 22, 2013
          • 0 Attachment

            Hi,

            While it's easy enough to spoof single IP packets, it's far more
            difficult to spoof a whole SMTP conversation.
            Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that.

            Thanks for the advice.

            Lucas

          • Viktor Dukhovni
            ... What is sufficient protection depends on the assumed skills of the attacker. If you re worried about spammers, ... you re probably safe with an IP filter.
            Message 5 of 8 , Apr 22, 2013
            • 0 Attachment
              On Mon, Apr 22, 2013 at 03:01:04PM +0200, L.W. van Braam van Vloten wrote:

              > > While it's easy enough to spoof single IP packets, it's far more
              > > difficult to spoof a whole SMTP conversation.
              >
              > Very well. If adding the IP address to mynetworks provides sufficient
              > security against abuse of my server, I will leave it to that.

              What is sufficient protection depends on the assumed skills of the attacker.

              If you're worried about spammers, ... you're probably safe with an IP
              filter. Just document the reason why that particular IP is on your
              access list, and periodically audit the status of the associated client
              to make sure it still has that IP address and that the relationship with
              that client still requires this access.

              More resourceful attackers may be able to forge traffic from an IP address
              not directly under their control (false BGP route injection, ...), but they
              may also be able to compromise the client machine and misuse or steal
              credentials, ...

              The main advantage of soft credentials (SASL passwords, TLS client
              certs, ...) is that you don't have to worry about IP renumbering
              on the client side, and the client does not have to coordinate IP
              changes on their end with you.

              --
              Viktor.
            • Jan P. Kessler
              ... TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such). If you really estimate an attacker between you and the remote end, you will need
              Message 6 of 8 , Apr 22, 2013
              • 0 Attachment
                > Very well. If adding the IP address to mynetworks provides sufficient
                > security against abuse of my server, I will leave it to that.

                TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such).
                If you really estimate an attacker between you and the remote end, you
                will need *verified* TLS. For anything else IP based controls are fine.
              Your message has been successfully submitted and would be delivered to recipients shortly.