Jerald Josephs wrote:
>
> jj>
> jj>Alan wrote:
> jj>>
> jj>> On Sat, 2 Aug 1997 Dick_Wall @
stratus .
com wrote:
> jj>>
> jj>> > The question is ...
> jj>> >
> jj>> > I'm getting approached by various groups in my company, that want to
> jj>> > use Web oriented email clients, to access our email servers. That is,
> jj>> > they want to use the clients from the Internet points, to access servers
> jj>> > on the trusted/internal side of our network. They'd like us therefore,
> jj>> > to allow http access through the firewall. We don't allow that now, and
> jj>> > I don't plan to allow it in the future.
> jj>> >
> jj>> > Is there a secure means for providing such email access?
> jj>>
> jj>> Yes.
> jj>>
> jj>> Tell them to spend the $20/month and get an off-site e-mail account at a
> jj>> local ISP. Then forward their mail to that account.
> jj>>
> jj>> (Sounds like yet another product that management had been told they "gotta
> jj>> have". Making e-mail web based sounds like a perfect way to make it even
> jj>> less usable and more inflexable. Sounds like a perfect fit for most of
> jj>> the management I have known...)
> jj>>
> jj>> alan @
ctrl-alt-del .
com | Note to AOL users: for a quick shortcut to reply
> jj>> Alan Olsen | to my mail, just hit the ctrl, alt and del keys.
> jj>
> jj>Are you all telling me that there is no way to simply route
> jj>in and outbound mail to other mail / SMTP servers
> jj>through a firewall without compromising internal mail security?
> jj>
>
> The main problem regarding allowing SMTP to pass through is that you
> are essentially allowing one to telnet to port 25 on the destination that
> SMTP is allowed to reach.
>
> Even if you have internal and external SMTP servers, this network connection
> would present a vulnerability should there be hole in the configuration of
> the sendmail daemon listening to port 25.
>
> Several vendors are addressing this issue by providing an SMTP security server
> that redirects packets address to port 25 on the SMTP server to a spool where
> another process picks it up and forwards it onto the next hop towards its
> destination.
>
> Because one process is writing and another is reading, the ability to establish
> TCP connection through the firewall to the SMTP server is revoked.
>
> Checkpoint's FireWall-1 3.0 boasts of this feature, but I have not actually
> tried to implement it yet
>
>
> /\ Jerald E. Josephs
> \\ \ Course Developer - Network Security
> \ \\ / Sun Educational Services
> / \/ / /
> / / \//\
> \//\ / /
> / / /\ /
> / \\ \ Phone/VM: 408-276-0941
> \ \\ FAX: 408-276-1565
> \/ E-mail: jerald .
josephs @
EBay .
Sun .
COM
Thanks for the response. Yes, that makes sense. -alan
--
Alan M. Goldberg
HJ Heinz Company of Canada Ltd./Intuit Bus Serv & Tech
Bradford, ON CA
http://home.istar.ca/~agoldber - email:agoldber @
istar .
ca
References:
|
|
