Transparent SMTP proxies?
Bill McGonigle
bill at bfccomputing.com
Wed Jan 23 17:36:54 EST 2008
On Jan 23, 2008, at 08:41, Ben Scott wrote:
> You could configure your SMTP relay to accept any authentication
> attempt (regardless of credentials) from IP addresses on/behind the
> router. Hmmm. Thinking further on it, though, it would have other
> problems. In particular, it breaks SPF, SenderID, and the like.
> Never mind.
Good points - I hadn't thought about those yet.
> I suppose you could just block TCP/25 destined to !you. That's
> increasingly common these days. The idea is that if you're a roaming
> node, you really should be using an MSA anyway.
That would satisfy my criteria for not getting blacklisted, but not
for SMTP working for everybody. :)
> I don't know much about how SMTP+TLS (SSL) works, but it seems
> likely that might also be a problem (i.e., it might see the
> transparent proxy as an intercept attack (which it is)). But see
> above about MSA.
As far as I can tell all the proxies just relay (~route) TLS traffic
- they don't try to man-in-the-middle it. I suppose one day we will
see Spam Zombies that negotiate TLS, but at least you can then reject
based on PKI. I suspect we'll see soon certificate blacklists like
we now see IP blacklists. Thank goodness bandwidth keeps getting
cheaper...
> No need for a separate IP address; just configure the proxy to
> listen on an alternate TCP port, and use IPtables to redirect all
> connections originally destined to TCP/25 to the alternate port on
> your server.
Cool, I'll try that, thanks.
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list