-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 17 Nov 2014, Ron Leach wrote:
Let me list the approach we'd prefer:
(i) MTA open on port 25 for inbound email.
(ii) MTA not open on any other port, because (for example, our) MTAs are
constantly faced on port 25 with password attacks, malformed packets,
OK: You've been hacked through SMTP once, ...
(iii) Users who are logged in to Dovecot (ie, authorised by Dovecot, so not
authorised by any software which is subject of attack and which will be
compromised from time to time) able to submit outbound messages through
Dovecot on the internal network to an MTA which will only relay from the
internal network.
... now you try yet another product with exactly the same problem;
your IMAP/POP servers are attacked as well. And most systems do not
separate IMAP and SMTP passwords.
(iv) No use of STARTTLS; all client messaging to be secure at and from the
point of protocol initiation. SSL=required, in terms of the Dovecot conf.
Personally, I do not think that is more secure.
Off topic for Dovecot list, but I might think instead about separate inbound
and outbound MTAs to achieve containment of inbound MTA compromise.
I believe this approach is the best way for you concerns anyway.
Make this separate server inbound only on port 587, no other services.
You could combine it with an almost instantly sync of users which are
logged in via IMAP/POP in Dovecot incl. IP and allow any requests for
those user/IP combinations. Sort of: SMPT-after-POP but with SMTP auth
and all. Or open IPs only after IMAP/POP-Login succeeded. Or ...
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVGmsEnz1H7kL/d9rAQI/6ggAizgKj3eSpMlBLLV15B5oConMD8aLxLTM
vVn94UmqPNGd8ZqBRM3t07pHT/JCiH4UYvzF5kIXAUQpWebIEit3KH0l/ZlMGd2B
aulwvcuAnJpMoKI6zxiwXxedMec9CDjqImOOIHuOWlJtQcdgR3lOETjWsxtBHdKy
Y6DJRlCP+VRlh/gS7+9msCDzvnfmINphhRDZT2wvUmHt7oK87ElpxpeWFvpBfxyY
46zOShXd04NEujlp/W1nEIXw7qPL9V1RUglzZfpSnxpdsLqPzCUSjCHD8MNQolDn
Nii4p96/Vyxb0RptnMlHAH/tGUA2ead0+pWigCQS7eHok2NV0A6AHw==
=BDPM
-----END PGP SIGNATURE-----
