The eMail Threat
February 24, 2010Security Policy Item
Mail– SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)
Vulnerability
Mail vulnerabilities occupy two spots in the SANS Top Ten: (sendmail) and (IMAP/POP), and the most common version, sendmail, has sent a constant stream of reports and exploits through services like Bugtraq over the years. The fact that mail is virtually omnipresent—nearly every organization uses it, so most firewalls let it through—means that mail servers are a frequent target for attackers.
SMTP servers are also vulnerable to bounce attacks in the form of spamming, where an attacker relays spam (junk mail or worse) through one or more SMTP servers in order to reach a wide audience and cover their tracks.
Filter Application
Inappropriate uses of mail should be stopped at the perimeter router. In this example, we will be applying the extended ACL to the inside interface of the perimeter router, as described earlier.
The syntax for an extended ACL is:
access-list {list name} permit/deny {protocol} {src} {mask} {operator} {port} {dest} {mask} {operator} {port} established
In the following block from the router’s configuration file, we will mail to all machines except for the public server on the screened services network. We also block POP and IMAP
!named ACL Packet Filter
ip access-list extended packet_filter
!Allow Mail (TCP 25) to the mail server
permit tcp any host NNN.16.27.66 eq 25
!Block Mail to all others (TCP 25)
deny tcp any any eq 25 log
!Block POP to all others (TCP 109 and 110)
deny tcp any any range 109 110 log
!Block IMAP to all others (TCP 143)
deny tcp any any eq 143
!Allow other traffic
permit ip any any
The “packet_filter” ACL is applied at the internal router interface for all incoming traffic, using the following command from interface configuration mode:
router# conf t
router(config)# int eth2/0
router(config-if)# ip access-group packet_filter out
Additional Actions
Another step to make mail safer (if it is required) is to use the Mail Guard feature on the PIX firewall. This feature only lets mail servers receive a safe subset of the commands from RFC 821: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Any other commands are rejected with a reply code of “500 command unrecognized.” The command syntax is.
fixup protocol smtp 25
Filter Verification
The mail packet filters can be tested by attempting to use the blocked services from outside of the perimeter router. Alternately, since the protocols are all TCP, one can simply use telnet to attempt to connect to the specific blocked ports, for example IMAP blocking could be verified with: telnet NNN.16.27.66 143.
The resulting log excerpt from the perimeter router shows that the connection attempts to the IMAP port 143, and SMTP port 25 were stopped by the “packet_filter” ACL on the router:
03:26:23: %SEC-6-IPACCESSLOGDP: list packet_filter denied tcp NNN.16.11.5(41234) -> NNN.16.27.70(143), 1 packet
03:27:59: %SEC-6-IPACCESSLOGDP: list packet_filter denied tcp NNN.16.11.5(25189) -> NNN.16.27.70(25), 1 packet