FW: job screening question

Keith Medcalf kmedcalf at dessus.com
Sun Jul 8 03:31:32 UTC 2012

(now copied to list as well)

On Sat 07 July, 2012 at 20:32, Owen DeLong wrote:

>>> "What TCP destination port numbers should be allowed through the
>>> perimeter stateful firewall device to and from a mail server whose
>>> only purpose is to proxy SMTP mail from internal sources?"
>>> (one number answer)

>> Short Answer:  There is no answer to the question that can be expressed in
>> one number.

> Sure there is, if you count "none" as a number.

None, NIL, NUL, NULL would be valid I suppose if nulls were permitted.  0 however is not correct.

>> Outbound connections to TCP destination port 25 only.  Returning traffic
>> (including associated ICMP) should be automatically handled by your stateful
>> inspection firewall.  If not, you need to buy a better firewall.

> I'd allow 25 and 465 outbound, myself. No reason to block SSL if the remote
> side offers the capability.


SMTPS is deprecated and port 465 is no longer registered for SMTPS (SMTP over SSL), it is now for

    <description>URL Rendesvous Directory for SSM</description>

So even though many folks may still run SMTPS on port 465, you SHOULD be using STARTTLS on port 25.

> ICMP wouldn't be a TCP destination port number anyway.

Very true.  The again, there is a significant proportion of the same experts who think DNS only runs over UDP ...

> > Any applicant who provides any answer should the rejected out of hand as
> (a) being unable to read (b) being a threat to security.

> LoL... Some truth to that.

You would be surprised how many people think that if you 
 permit tcp host x.x.x.x any eq 25
to let traffic out, then you need
 permit tcp any eq 25 host x.x.x.x
as the inverse to permit returning traffic.

This is more of a problem when using packet filtering than it is when configuring stateful inspection firewalls.  Nonetheless, the question does ask what should be opened "to and from" in order to "proxy SMTP mail from internal sources".

It could of course just be a brilliant question designed to detect such problems ...

> Owen


()  ascii ribbon campaign against html e-mail
/\  www.asciiribbon.org

More information about the NANOG mailing list