Loading ...
Sorry, an error occurred while loading the content.

Re: Secure relay from specific internet host to internet

Expand Messages
  • Lucas van Braam van Vloten
    Hi, Thanks for your replies. I know how to allow relay by its IP address but I m just afraid that it would be easy to fake an up address and use my server as a
    Message 1 of 8 , Apr 18, 2013
    • 0 Attachment
      Hi,
      Thanks for your replies. I know how to allow relay by its IP address but I'm just afraid that it would be easy to fake an up address and use my server as a spam relay. I would prefer to combine this with some form of authentication. Would you happen to know a good manual for setting up SASL authentication or a client certificate?

      Thanks!
      Lucas

      Viktor Dukhovni <postfix-users@...> schreef:
      On Thu, Apr 18, 2013 at 04:31:41PM +0200, L.W. van Braam van Vloten wrote:

      Could you please advise what would be the preferred, secure approach to
      achieve this?

      When you say "secure", what security mechanisms are acceptable? You
      could operate a TLS protected submission service that the other host
      can reach via suitable SASL credentials or a TLS client certificate.

      Or as Ralf suggests you could just allow it to relay by its IP
      address. IP addresses change from time to time, but key management
      is not a bed of roses either.

      --
      Verzonden van mijn Android telefoon met K-9 Mail.
    • Noel Jones
      [please don t top-post. thanks.] ... While it s easy enough to spoof single IP packets, it s far more difficult to spoof a whole SMTP conversation. Listing an
      Message 2 of 8 , Apr 18, 2013
      • 0 Attachment
        [please don't top-post. thanks.]

        On 4/18/2013 11:09 AM, Lucas van Braam van Vloten wrote:
        > Hi,
        > Thanks for your replies. I know how to allow relay by its IP address
        > but I'm just afraid that it would be easy to fake an up address and
        > use my server as a spam relay.

        While it's easy enough to spoof single IP packets, it's far more
        difficult to spoof a whole SMTP conversation.

        Listing an IP in mynetworks is safe as long as you trust everybody
        at that IP, for some value of "trust".

        > I would prefer to combine this with
        > some form of authentication. Would you happen to know a good manual
        > for setting up SASL authentication or a client certificate?

        http://www.postfix.org/SASL_README.html
        http://www.postfix.org/TLS_README.html

        If you need more detailed instructions, ask for help on a forum
        specific to your OS.



        -- Noel Jones
      • L.W. van Braam van Vloten
        Hi, ... Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that. Thanks for the
        Message 3 of 8 , Apr 22, 2013
        • 0 Attachment

          Hi,

          While it's easy enough to spoof single IP packets, it's far more
          difficult to spoof a whole SMTP conversation.
          Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that.

          Thanks for the advice.

          Lucas

        • Viktor Dukhovni
          ... What is sufficient protection depends on the assumed skills of the attacker. If you re worried about spammers, ... you re probably safe with an IP filter.
          Message 4 of 8 , Apr 22, 2013
          • 0 Attachment
            On Mon, Apr 22, 2013 at 03:01:04PM +0200, L.W. van Braam van Vloten wrote:

            > > While it's easy enough to spoof single IP packets, it's far more
            > > difficult to spoof a whole SMTP conversation.
            >
            > Very well. If adding the IP address to mynetworks provides sufficient
            > security against abuse of my server, I will leave it to that.

            What is sufficient protection depends on the assumed skills of the attacker.

            If you're worried about spammers, ... you're probably safe with an IP
            filter. Just document the reason why that particular IP is on your
            access list, and periodically audit the status of the associated client
            to make sure it still has that IP address and that the relationship with
            that client still requires this access.

            More resourceful attackers may be able to forge traffic from an IP address
            not directly under their control (false BGP route injection, ...), but they
            may also be able to compromise the client machine and misuse or steal
            credentials, ...

            The main advantage of soft credentials (SASL passwords, TLS client
            certs, ...) is that you don't have to worry about IP renumbering
            on the client side, and the client does not have to coordinate IP
            changes on their end with you.

            --
            Viktor.
          • Jan P. Kessler
            ... TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such). If you really estimate an attacker between you and the remote end, you will need
            Message 5 of 8 , Apr 22, 2013
            • 0 Attachment
              > Very well. If adding the IP address to mynetworks provides sufficient
              > security against abuse of my server, I will leave it to that.

              TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such).
              If you really estimate an attacker between you and the remote end, you
              will need *verified* TLS. For anything else IP based controls are fine.
            Your message has been successfully submitted and would be delivered to recipients shortly.