Loading ...
Sorry, an error occurred while loading the content.

Re: Secure relay from specific internet host to internet

Expand Messages
  • L.W. van Braam van Vloten
    Hi, ... Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that. Thanks for the
    Message 1 of 8 , Apr 22, 2013
    • 0 Attachment

      Hi,

      While it's easy enough to spoof single IP packets, it's far more
      difficult to spoof a whole SMTP conversation.
      Very well. If adding the IP address to mynetworks provides sufficient security against abuse of my server, I will leave it to that.

      Thanks for the advice.

      Lucas

    • Viktor Dukhovni
      ... What is sufficient protection depends on the assumed skills of the attacker. If you re worried about spammers, ... you re probably safe with an IP filter.
      Message 2 of 8 , Apr 22, 2013
      • 0 Attachment
        On Mon, Apr 22, 2013 at 03:01:04PM +0200, L.W. van Braam van Vloten wrote:

        > > While it's easy enough to spoof single IP packets, it's far more
        > > difficult to spoof a whole SMTP conversation.
        >
        > Very well. If adding the IP address to mynetworks provides sufficient
        > security against abuse of my server, I will leave it to that.

        What is sufficient protection depends on the assumed skills of the attacker.

        If you're worried about spammers, ... you're probably safe with an IP
        filter. Just document the reason why that particular IP is on your
        access list, and periodically audit the status of the associated client
        to make sure it still has that IP address and that the relationship with
        that client still requires this access.

        More resourceful attackers may be able to forge traffic from an IP address
        not directly under their control (false BGP route injection, ...), but they
        may also be able to compromise the client machine and misuse or steal
        credentials, ...

        The main advantage of soft credentials (SASL passwords, TLS client
        certs, ...) is that you don't have to worry about IP renumbering
        on the client side, and the client does not have to coordinate IP
        changes on their end with you.

        --
        Viktor.
      • Jan P. Kessler
        ... TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such). If you really estimate an attacker between you and the remote end, you will need
        Message 3 of 8 , Apr 22, 2013
        • 0 Attachment
          > Very well. If adding the IP address to mynetworks provides sufficient
          > security against abuse of my server, I will leave it to that.

          TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such).
          If you really estimate an attacker between you and the remote end, you
          will need *verified* TLS. For anything else IP based controls are fine.
        Your message has been successfully submitted and would be delivered to recipients shortly.