Hello list, how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that? thanx Enrico --
"E. Scichilone" wrote:
Hello list, how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that? thanx
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
"E. Scichilone" wrote:
Hello list, how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that? thanx
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-) No, sorry, I need the port to be open for mail handling... Enrico --
"E. Scichilone" wrote:
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-)
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hy,
"E. Scichilone" wrote:
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-)
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients.
Doest that mean, that I have to run a telnet daemon, if I want to run SMTP? (Sorry, I'm new to mailserver-configuration, so it is perhaps a stupid question...) regards Sebastian Nerz
Hy,
"E. Scichilone" wrote:
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-)
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients.
Doest that mean, that I have to run a telnet daemon, if I want to run SMTP? (Sorry, I'm new to mailserver-configuration, so it is perhaps a stupid question...)
No, you don´t need to have a telnet daemon running. Just try ´telnet www.bundestag.de:80´ for example... :-) Enrico --
"E. Scichilone" wrote:
Hy,
"E. Scichilone" wrote:
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-)
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients.
Doest that mean, that I have to run a telnet daemon, if I want to run SMTP? (Sorry, I'm new to mailserver-configuration, so it is perhaps a stupid question...)
No, you don´t need to have a telnet daemon running. Just try ´telnet www.bundestag.de:80´ for example... :-)
loose the : and make a space ;) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi Sebastian, > > > No, sorry, I need the port to be open for mail handling... > > telneting to the box isn't different to a normal smtp > > connection. If you stop telnet, you also stop normal smtp > > clients. > Doest that mean, that I have to run a telnet daemon, if I want to > run SMTP? > (Sorry, I'm new to mailserver-configuration, so it is perhaps a > stupid question...) Looks like your new to networks as well. You are severly confused here. To straighten things out: - Any TCP service (like sendmail) does listen to a specific port number. - Any program could be made to connect to any remote port. - Security and privacy are in the "service" that will not reveal important things to unidentified remote parties. - There is nothing you can do to prevent any "specific" client (like telnet) to connect to any port of yours. OK, you got this answer cause I had a good laugh. Now go and get yourself some primers and basic networking. Some simple queries to google and some patience will reveal how things work. And maybe stop this silly discussion...
"E. Scichilone" wrote:
close the port with your firewall (ipchains/iptables) or stop the deamon if you don't need it.
:-)
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients.
Hmm, the point is, that I have heard some talking about something like a SMTP-proxy (?), which IIRC was meant as one machine acts like a firewall and "filters" and forwards mails to another machine, which is the Mailserver. I´m not sure if this is the right description (its a pretty long time ago), but maybe it could help you help me. Could this chain of 2 machines possibly be simulated by a forward-policy in my iptables-rules? Thx and have a nice weekend Enrico --
"E. Scichilone" wrote:
Hmm, the point is, that I have heard some talking about something like a SMTP-proxy (?), which IIRC was meant as one machine acts like a firewall and "filters" and forwards mails to another machine, which is the Mailserver. I´m not sure if this is the right description (its a pretty long time ago), but maybe it could help you help me. Could this chain of 2 machines possibly be simulated by a forward-policy in my iptables-rules?
such things exist but they're mostly useless. no proxy that i know has so many features to e.g. block spam etc. like a smtpd has (postfix in my case). Instead of putting a smtp proxy on your firewall use iptables to forward the connections from your firewall's port 25 to the mailserver.
Thx and have a nice weekend
same to you ;) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Sven Michels wrote:
No, sorry, I need the port to be open for mail handling...
telneting to the box isn't different to a normal smtp connection. If you stop telnet, you also stop normal smtp clients.
just to be more verbose: if you stop telnet CLIENTS to connect to your smtpd you'll also stop any mailclient or mailserver to connect to your smtpd cause they just make a connection like the telnet client does. That means not that you can/should stop your (hopefully not running, cause its insecure ;) telnetd(aemon). -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
On Friday 15 March 2002 19.08, Sven Michels wrote:
stop your (hopefully not running, cause its insecure ;) telnetd(aemon).
It's only insecure if it's used on the open net where it can be snooped. There's nothing insecure about the server as such. At least I haven't heard about any exploits against it. //Anders
Anders Johansson wrote:
On Friday 15 March 2002 19.08, Sven Michels wrote:
stop your (hopefully not running, cause its insecure ;) telnetd(aemon).
It's only insecure if it's used on the open net where it can be snooped. There's nothing insecure about the server as such. At least I haven't heard about any exploits against it.
then you've missed something really important. http://linux.oreillynet.com/pub/a/linux/2001/07/23/insecurities.html -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
On Friday 15 March 2002 19.13, Sven Michels wrote:
Anders Johansson wrote:
On Friday 15 March 2002 19.08, Sven Michels wrote:
stop your (hopefully not running, cause its insecure ;) telnetd(aemon).
It's only insecure if it's used on the open net where it can be snooped. There's nothing insecure about the server as such. At least I haven't heard about any exploits against it.
then you've missed something really important.
http://linux.oreillynet.com/pub/a/linux/2001/07/23/insecurities.html
1. article dated 07/23/2001, hopefully there is a fix by now 2. Already at the time of writing, the current linux telnet daemons were unaffected by the bug. 3. Yes, telnet like any server can have buffer overflows or other remotely exploitable bugs, but it's not in any way different in this from other servers. If you have a local net where you have control of root on all systems so you don't have to worry about sniffers, you can run telnetd without any more worry than with your other services. Yes you have to monitor security lists for items such as the above, but it's not an item of special concern. //Anders
telnet is insecure because it does everything in plain text, including passwords. Better practice is to close your telnetd and use sshd (OpenSSH or others), that way your traffic is encrypted, and your network is more secure. --Dennis Anders Johansson wrote:
On Friday 15 March 2002 19.13, Sven Michels wrote:
Anders Johansson wrote:
On Friday 15 March 2002 19.08, Sven Michels wrote:
stop your (hopefully not running, cause its insecure ;) telnetd(aemon).
It's only insecure if it's used on the open net where it can be snooped. There's nothing insecure about the server as such. At least I haven't heard about any exploits against it.
then you've missed something really important.
http://linux.oreillynet.com/pub/a/linux/2001/07/23/insecurities.html
1. article dated 07/23/2001, hopefully there is a fix by now 2. Already at the time of writing, the current linux telnet daemons were unaffected by the bug. 3. Yes, telnet like any server can have buffer overflows or other remotely exploitable bugs, but it's not in any way different in this from other servers.
If you have a local net where you have control of root on all systems so you don't have to worry about sniffers, you can run telnetd without any more worry than with your other services. Yes you have to monitor security lists for items such as the above, but it's not an item of special concern.
//Anders
-- ------------------------------------------------------------------------- Dennis "BassDude" Fox | dfox@ia.net OR bassdude@newcreationchurch.net Bureaucracy is the art of making the possible impossible -Javier Pascual Salcedo -------------------------------------------------------------------------
hi,
how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that?
yes, if you deactivate your smtp service - it's possible. otherwise not. if you want have anyone to connect to your smtp service you can connect with telnet. but if you have a static ip you can setup some iptable rules, to allow only connections from your ip for example. greetings, nico
On Fri, Mar 15, 2002 at 06:37:54PM +0100, Nico Puhlmann wrote:
hi,
how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that?
yes, if you deactivate your smtp service - it's possible. otherwise not. if you want have anyone to connect to your smtp service you can connect with telnet. but if you have a static ip you can setup some iptable rules, to allow only connections from your ip for example.
If you are using sendmail and you do not want anyone outside the localhost to be able to send mail to sendmail you can add the following to sendmail.cf O DaemonPortOptions=Addr=localhost,Name=MTA If you turn sendmail completely off then fetchmail stops working because it dumps recieved mail into port 25. Becareful, unless you tell it not to yast likes to re-write sendmail.cf, wiping out your changes. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
--On Friday, March 15, 2002 18:32:07 +0100 "E. Scichilone"
Hello list, how can I turn off the "feature", that anybody can telnet to my smtp-port? Are there any special progs necessary or is the PrivacyOption goaway or similar enough? How do you handle that? thanx
A telnet client is different to an smtp client in the interpretation of a single character, IAC or 0xff which is an escape for telnet meta data. In theory you could use that fact to detect a telnet client but I have never heard of anyone doing it and I don't think that it would help you much. Blocking telnet does not raise the security of you mail in any way. Sendmail can block mail based on a set of rules, or you can perhaps use TLS to verify the sender. /Michael -- This space intentionally left non-blank.
participants (9)
-
Anders Johansson
-
Dennis Fox
-
E. Scichilone
-
Michael Salmon
-
Nico Puhlmann
-
Paul Elliott
-
Peter van den Heuvel
-
Sebastian Nerz
-
Sven Michels