Outbound port mystery.....!

[terryp]

I have had ME running on my site for some time, but never really worried too much about my firewall. I recently bought a Draytek router / firewall and locked down the IP that I have assigned to ME to only allow inbound and outbound traffic on ports 25 and 110.

The next thing I know is that no mail is being delivered, and a check through the firewall logs suggests that ME is using a different port each time to send mail, from 28080 upwards.

I've currently had to allow connections to and from any IP originating from port 25 to the ME IP address, but this is a bit open (any attacker using port 25 will be able to send packets to any bit of the server).

I'm confused ! is this how it's supposed to work ?

[Kiliman]

With any TCP connection, there's a source port and destination port.

For SMTP connections, the destination port is 25. The source port is usually a random port.

Your firewall rules should:
* ALLOW inbound destination port 25, any source port
* ALLOW outbound destination port 25, any source port
* BLOCK everything else.

Kiliman

[terryp]

That's how I ended up with my rules set, but surely that leaves you open if a hacker attacks you via port 25 on their pc since they would have access to any port on yours......??

[terryp]

I don't think I explained it that well, i'll have another go.....

My firewall has these rules set :-

Allow incoming traffic to port 25
Allow outgoing traffic to port 25

The problem then appears that when sending outbound email, some packets come back into my network (i.e the response to the HELO command). My firewall is dutifully blocking these. The only way I can get round the situation is to add another rule, saying :-

Allow incoming traffic to any port from port 25

That's the bit I just don't like.......

[dreniarb]

You need to take off the block you have set up for your mail servers ip address. From the way you describe your setup, I'd be suprised if you could pull up webpages from that machine. I'm no tcp/ip expert by any stretch, but I'm pretty sure that when you send out a tcp/ip request through a router, the router tells the destination port "hey, respond back on this random port number i've just picked out". if you have all ports blocked except 1 (out of the thousands possible) you can't get a response back.

Run the TCPView program available from sysinternals. With it running, watch as you pull up a webpage. The port number is different everytime. Your outgoing port is 80, put the incoming is always different.

As long as you don't have any other ports "forwarded" to your mailserver (25 for smtp and possibly 110 for pop) your as safe as you can get. Your no more vulnerable to attack than any of us.

[leevis]

That's how I ended up with my rules set, but surely that leaves you open if a hacker attacks you via port 25 on their pc since they would have access to any port on yours......??

No, because they can only initiate a connection to you on port 25 on your end and expect responses back on a random port >1024. And since ME handles all traffic on port 25, you are really only at risk if there is an exploitable vulnerability discovered in ME itself. Also, when ME needs to SEND mail, it will initiate a connection to the distant mail server's port 25 and will expect responses from that server on a random port number >1024.

POP3 is a bit simpler because you only need one rule; allow incoming connections to port 110 from any port >1024.

Unfortunately, depending on your network/router/firewall topology, you may need to open more ports than that. Remember, mail delivery uses DNS resolution, so you'll need to make sure your server can do DNS queries thru the firewall as well.