[154683] in North American Network Operators' Group
FW: job screening question
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Jul 7 23:32:09 2012
Date: Sat, 07 Jul 2012 21:31:32 -0600
In-Reply-To: <2f05fd19e52aa34682f92ba133eb60ef@mail.dessus.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
(now copied to list as well)
On Sat 07 July, 2012 at 20:32, Owen DeLong wrote:
>>> "What TCP destination port numbers should be allowed through the
>>> perimeter stateful firewall device to and from a mail server whose
>>> only purpose is to proxy SMTP mail from internal sources?"
>>> (one number answer)
>> Short Answer: There is no answer to the question that can be expressed =
in
>> one number.
> Sure there is, if you count "none" as a number.
None, NIL, NUL, NULL would be valid I suppose if nulls were permitted. 0 h=
owever is not correct.
>> Outbound connections to TCP destination port 25 only. Returning traffic
>> (including associated ICMP) should be automatically handled by your stat=
eful
>> inspection firewall. If not, you need to buy a better firewall.
> I'd allow 25 and 465 outbound, myself. No reason to block SSL if the remo=
te
> side offers the capability.
http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html
SMTPS is deprecated and port 465 is no longer registered for SMTPS (SMTP ov=
er SSL), it is now for
<record>
<name>urd</name>
<protocol>tcp</protocol>
<description>URL Rendesvous Directory for SSM</description>
<number>465</number>
</record>
So even though many folks may still run SMTPS on port 465, you SHOULD be us=
ing STARTTLS on port 25.
> ICMP wouldn't be a TCP destination port number anyway.
Very true. The again, there is a significant proportion of the same expert=
s who think DNS only runs over UDP ...
> > Any applicant who provides any answer should the rejected out of hand a=
s
> (a) being unable to read (b) being a threat to security.
> LoL... Some truth to that.
You would be surprised how many people think that if you
permit tcp host x.x.x.x any eq 25
to let traffic out, then you need
permit tcp any eq 25 host x.x.x.x
as the inverse to permit returning traffic.
This is more of a problem when using packet filtering than it is when confi=
guring stateful inspection firewalls. Nonetheless, the question does ask w=
hat should be opened "to and from" in order to "proxy SMTP mail from intern=
al sources".
It could of course just be a brilliant question designed to detect such pro=
blems ...
> Owen
Keith
---
() ascii ribbon campaign against html e-mail
/\ www.asciiribbon.org
