Firewalls: Re: Web Oriented Mail Clients

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Web Oriented Mail Clients
From:	Jerald Josephs <Jerald . Josephs @ Ebay . Sun . COM>
Date:	Wed, 6 Aug 1997 15:11:02 -0700 (PDT)
To:	alan @ ctrl-alt-del . com, agoldber @ istar . ca
Cc:	firewalls @ GreatCircle . COM
Reply-to:	Jerald Josephs <Jerald . Josephs @ Ebay . Sun . COM>

jj>
jj>Alan wrote:
jj>> 
jj>> On Sat, 2 Aug 1997 Dick_Wall @
 stratus .
 com wrote:
jj>> 
jj>> >   The question is ...
jj>> >
jj>> >   I'm getting approached by various groups in my company, that want to
jj>> > use Web oriented email clients, to access our email servers.  That is,
jj>> > they want to use the clients from the Internet points, to access servers
jj>> > on the trusted/internal side of our network.  They'd like us therefore,
jj>> > to allow http access through the firewall.  We don't allow that now, and
jj>> > I don't plan to allow it in the future.
jj>> >
jj>> >   Is there a secure means for providing such email access?
jj>> 
jj>> Yes.
jj>> 
jj>> Tell them to spend the $20/month and get an off-site e-mail account at a
jj>> local ISP.  Then forward their mail to that account.
jj>> 
jj>> (Sounds like yet another product that management had been told they "gotta
jj>> have".  Making e-mail web based sounds like a perfect way to make it even
jj>> less usable and more inflexable.  Sounds like a perfect fit for most of
jj>> the management I have known...)
jj>> 
jj>> alan @
 ctrl-alt-del .
 com | Note to AOL users: for a quick shortcut to reply
jj>> Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
jj>
jj>Are you all telling me that there is no way to simply route
jj>in and outbound mail to other mail / SMTP servers 
jj>through a firewall without compromising internal mail security? 
jj>


The main problem regarding allowing SMTP to pass through is that you
are essentially allowing one to telnet to port 25 on the destination that
SMTP is allowed to reach.

Even if you have internal and external SMTP servers, this network connection
would present a vulnerability should there be hole in the configuration of
the sendmail daemon listening to port 25.

Several vendors are addressing this issue by providing an SMTP security server
that redirects packets address to port 25 on the SMTP server to a spool where
another process picks it up and forwards it onto the next hop towards its
destination.

Because one process is writing and another is reading, the ability to establish
TCP connection through the firewall to the SMTP server is revoked.

Checkpoint's FireWall-1 3.0 boasts of this feature, but I have not actually
tried to implement it yet


     
    /\  Jerald E. Josephs
   \\ \  Course Developer - Network Security
  \ \\ /  Sun Educational Services
 / \/ / / 
/ /   \//\ 
\//\   / / 
 / / /\ /
  / \\ \  Phone/VM: 408-276-0941
   \ \\  FAX: 408-276-1565
    \/  E-mail: jerald .
 josephs @
 EBay .
 Sun .
 COM

Follow-Ups:

Re: Web Oriented Mail Clients
From: Alan Goldberg <agoldber @ istar . ca>

Indexed By Date	Previous:	Re: From: Nathan Steinbauer <nathan @ datasource . net>
Indexed By Date	Next:	Re: Mail bombing made legal... From: nospam-seesignature @ ceddec . com
Indexed By Thread	Previous:	Re: Web Oriented Mail Clients From: Patrick Belliotti <pbelliot @ radium . ncsc . mil>
Indexed By Thread	Next:	Re: Web Oriented Mail Clients From: Alan Goldberg <agoldber @ istar . ca>