[rhn-users] Blocking SMTP from telnet

Preston, Gabriel GPreston at concordefs.com
Mon Jan 31 12:59:56 UTC 2005 

> Hai
> I have a mailserver(sendmail) i want to block telneting to my smtp server
> 
> #telnet myip 25
> 
> I want to block or only secure user can access this 
> how can i do this ?
> thanks in advance
> jijos 
> jijo's

I'm not sure that this is possible because of how the SMTP service is
designed.  I don't believe you can simply block incoming telnet attempts to
your SMTP port.  To quote Brian Keefer on the OpenBSD mailing list:

"Even if you could detect that it was a telnet client by observing the
terminal negotiation attempt, you really haven't gained anything.  You
could write a simple socket program in any language, such as PERL,
Python, etc and just perform the same function.

Why is everyone over-analyzing the situation?  SMTP is a TCP service
based on 7bit ASCII commands.  All the communication is human-readable
and doesn't require any special negotiation above the TCP layer (which
is handled automatically).  You can't reliably detect the intent of a
remote party when they connect, only after they start issuing commands
can you make a determination (albeit a crude one) about what they're
trying to do and whether you want to allow it.

There's no easy way to accomplish that.  If there were, companies
wouldn't make millions selling special e-mail protection software that
performs detailed traffic inspection.

Even a proxy firewall in this case doesn't really gain you anything.
The past exploits against SMTP daemons have been by using built-in
commands.  If you're saying the proxy will limit it to "just SMTP
traffic", well so what?  If the daemon has a poor SMTP
implementation, then it's still vulnerable.  It's not like you can
connect to the daemon and just immediately login to a shell."

Now, if you wanted to allow only specific people access to the SMTP server,
you could set up TCP Wrappers to only permit access from specific IPs.  Or
you could get a more robust smtp server like exim or postfix that is much
more configurable and set it up to require valid logins before being able to
send/retrieve email.

Just my $.02

-gabriel

More information about the rhn-users mailing list