General discussion

Locked

Should IMAP/SMTP SSL ports be blocked at the firewall?

By The Dalles Dweller ·
Our standard practice is to block all incoming/outgoing ports on our firewall and only open what is needed. With the proliferation of handheld devices using push email technology, it seems we are having to add more and more rules to allow SSL IMAP and SMTP traffic to outside servers.

It's been suggested to me to open port 993 and 587 completely so visitors to our network can still receive email that is pushed to their devices without us having to put a rule in.

What are other folks doing with this? Anyone think this would be a huge security hole?

Thanks!
Bryan

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Should IMAP/SMTP SSL ports be blocked at the firewall?

by banksmail In reply to Should IMAP/SMTP SSL port ...

Rule of thumb is block if you are not using to reduce your attack surface, but if you need to use SSL IMAP there is nothing wrong with opening those ports, and I'd rather have SSL IMAP open and regular IMAP (TCP 143) closed personally. This way your traffic is encrypted. For SMTP, port 587 is actually preferred over 25, according to RFC 2476 (http://www.ietf.org/rfc/rfc2476.txt) under section 3:

3. Message Submission

3.1. Submission Identification

Port 587 is reserved for email message submission as specified in
this document. Messages received on this port are defined to be
submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with
additional restrictions as specified here.

While most email clients and servers can be configured to use port
587 instead of 25, there are cases where this is not possible or
convenient. A site MAY choose to use port 25 for message submission,
by designating some hosts to be MSAs and others to be MTAs.


I wouldn't turn off port 25, since it is the standard port whether recommended or not to use 587, but I would definitely enable 587 and bind your SSL cert to both it and your IMAPs port.

Steve

Steven Banks, MCP, CSSA [SBS MVP]
Microsoft Small Business Specialist
Banks Consulting Northwest Inc.
steve@banksnw.com / www.banksnw.com

Co-author, Windows Small Business Server 2008 Unleashed,
Advanced Windows Small Business Server 2003 Best Practices

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums