[Assp-user] SSL/TLS proxy

Discussion:

Tim Young

2006-10-25 01:35:55 UTC

We have a home-made ssl/tls smtp filter that we have been using. Our
filter adds the originating IP address as a part of the header. Can
ASSP be configured to grab the IP address from a tag in the header
instead of from the tcp/ip connection itself?

Our desired result is to have ASSP and ssl/tls.

James Brown

2006-10-25 02:23:58 UTC

Permalink

On 25/10/2006, at 11:35 AM, Tim Young wrote:

> We have a home-made ssl/tls smtp filter that we have been using. Our
> filter adds the originating IP address as a part of the header. Can
> ASSP be configured to grab the IP address from a tag in the header
> instead of from the tcp/ip connection itself?
>
> Our desired result is to have ASSP and ssl/tls.

Tim, please let me know how you go with this.

We are also trying to get ASSP to work with SSL/TLS.

I've set up stunnel, but can't get Apple's Mail to connect to it.
Keep getting this error:

2006.10.23 22:43:25 LOG7[29925:25182208]: SSL alert (write): fatal:
handshake failure
2006.10.23 22:43:25 LOG3[29925:25182208]: SSL_connect: 1408F10B:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

So I'd be interested in any way of getting SSL to work with ASSP.

Regards,

James.

Tim Young

2006-10-25 15:44:43 UTC

Permalink

At this time we do not have it working. I will try to post something if
I do get it working.

Basically we have a home made smtpguard thing (google will bring up a
couple) that does ssl/tls. The home-made smtpguard takes the originating
IP and drops it into the header. If I can add a configuration option to
ASSP so that it takes the IP from the added smtp-header entry, instead
of from the tcp/ip connection, then I should get it to work.

For it to work for everyone else, I would have to convince the author of
the smtpguard to release it open-source... Or leave it to you all to
find a smtpguard version that does ssl/tls.

- Tim

James Brown wrote:
> On 25/10/2006, at 11:35 AM, Tim Young wrote:
>
>
>> We have a home-made ssl/tls smtp filter that we have been using. Our
>> filter adds the originating IP address as a part of the header. Can
>> ASSP be configured to grab the IP address from a tag in the header
>> instead of from the tcp/ip connection itself?
>>
>> Our desired result is to have ASSP and ssl/tls.
>>
>
> Tim, please let me know how you go with this.
>
> We are also trying to get ASSP to work with SSL/TLS.
>
> I've set up stunnel, but can't get Apple's Mail to connect to it.
> Keep getting this error:
>
> 2006.10.23 22:43:25 LOG7[29925:25182208]: SSL alert (write): fatal:
> handshake failure
> 2006.10.23 22:43:25 LOG3[29925:25182208]: SSL_connect: 1408F10B:
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> So I'd be interested in any way of getting SSL to work with ASSP.
>
> Regards,
>
> James.
>
>
>

Guy Deslauriers

2006-10-25 18:23:42 UTC

Permalink

Tim, James,

Did you guys check the percentage of spam VS legitimate mail using TLS?

I had an issue with ASSP and TLS when I originally launched ASSP about a
month ago, so I deactivated it to investigate the TLS necessity. I was
quite surprised to find out that about 90% (if not 95%) of the SMTP over TLS
connection to my mail server was used by spammers....

Since then, I disabled TLS and reactivated ASSP. For me SMTP over TLS is
TOTALLY useless....

I suggested to my users to use something like PGP or the likes if they want
their emails encrypted.

My .02

gd

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Tim Young
Sent: October 25, 2006 11:45 AM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: Re: [Assp-user] SSL/TLS proxy

At this time we do not have it working. I will try to post something if
I do get it working.

Basically we have a home made smtpguard thing (google will bring up a
couple) that does ssl/tls. The home-made smtpguard takes the originating
IP and drops it into the header. If I can add a configuration option to
ASSP so that it takes the IP from the added smtp-header entry, instead
of from the tcp/ip connection, then I should get it to work.

For it to work for everyone else, I would have to convince the author of
the smtpguard to release it open-source... Or leave it to you all to
find a smtpguard version that does ssl/tls.

- Tim

James Brown wrote:
> On 25/10/2006, at 11:35 AM, Tim Young wrote:
>
>
>> We have a home-made ssl/tls smtp filter that we have been using. Our
>> filter adds the originating IP address as a part of the header. Can
>> ASSP be configured to grab the IP address from a tag in the header
>> instead of from the tcp/ip connection itself?
>>
>> Our desired result is to have ASSP and ssl/tls.
>>
>
> Tim, please let me know how you go with this.
>
> We are also trying to get ASSP to work with SSL/TLS.
>
> I've set up stunnel, but can't get Apple's Mail to connect to it.
> Keep getting this error:
>
> 2006.10.23 22:43:25 LOG7[29925:25182208]: SSL alert (write): fatal:
> handshake failure
> 2006.10.23 22:43:25 LOG3[29925:25182208]: SSL_connect: 1408F10B:
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> So I'd be interested in any way of getting SSL to work with ASSP.
>
> Regards,
>
> James.
>
>
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tim Young

2006-10-25 18:36:53 UTC

Permalink

Thanks,
For us ssl/tls is more important than spam protection. All our remote
offices send inter-office emails through ssl/tls. So we come from the
other side; we would like to add spam prevention to our existing ssl/tls.

And yes, there is a lot of spam that comes in through our ssl/tls smtp
connection. Whole-hearted agreement with you!

Thanks,

- Tim

Guy Deslauriers wrote:
> Tim, James,
>
> Did you guys check the percentage of spam VS legitimate mail using TLS?
>
> I had an issue with ASSP and TLS when I originally launched ASSP about a
> month ago, so I deactivated it to investigate the TLS necessity. I was
> quite surprised to find out that about 90% (if not 95%) of the SMTP over TLS
> connection to my mail server was used by spammers....
>
> Since then, I disabled TLS and reactivated ASSP. For me SMTP over TLS is
> TOTALLY useless....
>
> I suggested to my users to use something like PGP or the likes if they want
> their emails encrypted.
>
> My .02
>
> gd
>
>
>
>
>

Micheal Espinola Jr

2006-10-25 18:54:48 UTC

Permalink

Tim Young wrote:
> Thanks,
> For us ssl/tls is more important than spam protection. All our remote
> offices send inter-office emails through ssl/tls. So we come from the
> other side; we would like to add spam prevention to our existing ssl/tls.
>
> And yes, there is a lot of spam that comes in through our ssl/tls smtp
> connection. Whole-hearted agreement with you!

For inter-office links I would go with a VPN / IPSec solution.

But, perhaps I don't understand the problem here. How can you get
TLS-based spam if the connection doesn't have the proper certificate to
make the connection?

Kevin

2006-10-25 18:46:50 UTC

Permalink

Guy Deslauriers wrote:
> Tim, James,
>
> Did you guys check the percentage of spam VS legitimate mail using TLS?
>
> I had an issue with ASSP and TLS when I originally launched ASSP about a
> month ago, so I deactivated it to investigate the TLS necessity. I was
> quite surprised to find out that about 90% (if not 95%) of the SMTP over TLS
> connection to my mail server was used by spammers....
>
> Since then, I disabled TLS and reactivated ASSP. For me SMTP over TLS is
> TOTALLY useless....
>
> I suggested to my users to use something like PGP or the likes if they want
> their emails encrypted.
>

TLS is not about encrypting the email message it is for encrypting the
connection between the server and client and thus preventing their
user-name and password from being sent over an unencrypted connection.

Once the message is on the server or is sent by the server to another
server there is no encryption unless is is setup in advance between the
sending and receiving server. Also email stored on disk is not encrypted
in any way unless you use something like PGP as you stated.

As for the spammers using the TLS, I can't comment. My users submit on a
server that is not one of my MX servers and thus no spammers (aside from
random port scanners) use it.

Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for
your clients and using SSL/TLS on that would allow all Internet mail to
be scanned by ASSP and by routing outgoing email through ASSP would
allow it to work as it should. Only internal email is not seen by ASSP.

Kevin

Eric B.

2006-10-25 20:21:42 UTC

Permalink

> Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for
> your clients and using SSL/TLS on that would allow all Internet mail to
> be scanned by ASSP and by routing outgoing email through ASSP would
> allow it to work as it should. Only internal email is not seen by ASSP.

How would one configure ASSP to work for this? I've been stuggling with
this notion for the last couple of days and can't figure out the right
setup. The way I see it, I need to route all incoming mail on port 25
through ASSP before going to my mail server (ie: set Listen Port to 25 and
SMTP Destination to 225). My mail server would be configured to listen on
port 225.

Now, you are suggesting to add port 587 on my mail server as an incoming
SSL/TLS port. That's fine. So email clients (ex: Outlook Express, etc)
would connect to port 587 and submit their mail.

This is where i get stuck however. How do I configure the mail server &
ASSP to process mail from this point? I can configure the mail server to
use a relay server and route outgoing mail through another server/port, but
how would I configure ASSP to receive that connection and then transmit the
email to the world?

Furthermore, how does this protect any spammers from sending mail to port
587 on my mail server destined for the local users of the mail server,
thereby bypassing ASSP completely? Won't all the local users on the mail
server still get spammed?

Thanks,

Eric

Kevin

2006-10-25 21:32:42 UTC

Permalink

Eric B. wrote:
>> Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for
>> your clients and using SSL/TLS on that would allow all Internet mail to
>> be scanned by ASSP and by routing outgoing email through ASSP would
>> allow it to work as it should. Only internal email is not seen by ASSP.
>
> How would one configure ASSP to work for this? I've been stuggling with
> this notion for the last couple of days and can't figure out the right
> setup. The way I see it, I need to route all incoming mail on port 25
> through ASSP before going to my mail server (ie: set Listen Port to 25 and
> SMTP Destination to 225). My mail server would be configured to listen on
> port 225.
>
> Now, you are suggesting to add port 587 on my mail server as an incoming
> SSL/TLS port. That's fine. So email clients (ex: Outlook Express, etc)
> would connect to port 587 and submit their mail.

Yes.
Anonymous email uses port 25.
Authenticated email uses 587.

> This is where i get stuck however. How do I configure the mail server &
> ASSP to process mail from this point? I can configure the mail server to
> use a relay server and route outgoing mail through another server/port, but
> how would I configure ASSP to receive that connection and then transmit the
> email to the world?

Sorry I was not clear in how I have that implemented.

My authenticated clients do not submit email through ASSP.
They use a non MX record server using SSL/TLS.
The server only accepts authenticated email no anonymous SMTP is allowed.

All Internet/externally bound email is routed through ASSP thus allowing
the whitelist and email interface to function.

-------------------------------------
External Anonymous Email:

Server1A -> ASSP -> Server2A

External Auth Email:

Client -> Server2A

Outgoing Email:

Server2A -> ASSP -> Server2B -> Server1A

Server2A is the main MTA server.
Server2B is a smtp relay server between ASSP and any server on the Internet.
Server2B is not necessarily a separate physical box from the ASSP server.
Server1A is any server that sends my domain email.
-------------------------------------

> Furthermore, how does this protect any spammers from sending mail to port
> 587 on my mail server destined for the local users of the mail server,
> thereby bypassing ASSP completely? Won't all the local users on the mail
> server still get spammed?

Just deny anonymous email on 587.
I've never seen a spammer touch 587 though.

Kevin

Eric B.

2006-10-26 03:09:21 UTC

Permalink

> -------------------------------------
> External Anonymous Email:
>
> Server1A -> ASSP -> Server2A
>
> External Auth Email:
>
> Client -> Server2A
>
> Outgoing Email:
>
> Server2A -> ASSP -> Server2B -> Server1A
>
>
> Server2A is the main MTA server.
> Server2B is a smtp relay server between ASSP and any server on the
> Internet.
> Server2B is not necessarily a separate physical box from the ASSP server.
> Server1A is any server that sends my domain email.

How do you configure ASSP to know to route email from Server2A to Server2B.
Won't ASSP automatically try to route the SMTP connection to the value
stored in "SMTP Destination"? Doesn't that value need to be Server2A's
address to be able to ensure that incoming mail is transmitted to it?

Or do you have 2 different instances of ASSP running? I'm having trouble
finding the right config params to allow ASSP to be able to run
bidirectionally like that - where when email comes in from 2A it gets
directed to 2B, and vice versa - when it comes in from 2B that it goes to
2A.

> Just deny anonymous email on 587.
> I've never seen a spammer touch 587 though.

Hmmm... good idea. Although I'm not sure if my MTA allows for that. Will
have to look into it. More importantly though, I don't know how easily it
will be to convince all my users to reconfigure their clients (esp. the PC
illiterate ones).

Thanks for the info,

Eric

Charles Marcus

2006-10-26 10:43:40 UTC

Permalink

>> Just deny anonymous email on 587.
>> I've never seen a spammer touch 587 though.

> Hmmm... good idea. Although I'm not sure if my MTA allows for that. Will
> have to look into it. More importantly though, I don't know how easily it
> will be to convince all my users to reconfigure their clients (esp. the PC
> illiterate ones).

I went through something similar a long time ago...

1. Get encrypted connections working first, alongside non-encrypted
ones, so that they both work.

2. Write up and send out dummy-proof step-by-step instructions for the
most popular mail clients, and then send out warning emails to everyone
that will be affected, explaining what you are doing and why (in
layman's terms, of course), and set a deadline when you will be
terminating the non-encrypted connection support.

3. Make the changes yourself to any/all computers that are local to you
that are used by any management types. Be sure to explain in person to
these people what/why you are doing, ask them about what they use to
access email from the outside, and hand them a printed copy of the
instructions for their client - or, prepare instructions for their
client if it is one that you hadn't already prepared instructions for.

4. Give everyone a cell/home phone number they can reach you at for when
they can't figure out your dummy-proof instructions...

5. Send out warnings 3 days before terminating the non-encrypted
connection support.

6. Send out a final warning the day before.

7. Terminate non-encrypted connections.

8. Answer an un-ending series of help calls when people call screaming
that they cannot access their email, and be prepared for the names they
will call you for daring to do something like this without any warning.

--

Best regards,

Charles

Aaron Allen

2006-10-26 13:29:53 UTC

Permalink

We have been using the recommended RegExs for BombRe that are posted on
the wiki. Yesterday I had an e-mail from our attorney that was being
blocked because of a spam bomb. Apparently the word "penalties" will
match this RegEx:

\bP+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[I1!|
lt\xEC-\xEF]+\s?\S?\s?\W?[S$5]\b#
PENIS

It might not be a bad idea to modify the RegEx that is posted on the
wiki as "penalties" should not score near as high as the word "penis."

Micheal Espinola Jr

2006-10-26 20:11:14 UTC

Permalink

Aaron Allen wrote:
> It might not be a bad idea to modify the RegEx that is posted on the
> wiki as "penalties" should not score near as high as the word "penis."

That's not how ASSP works. You might be confusing functionality with
SpamAssassin. If a bombRe match happens, the message is blocked. Period.

You can alter the bombRe line or simply add the address to your whitelist.

Aaron Allen

2006-10-26 20:17:13 UTC

Permalink

I used the "scoring" analogy under the assumption that some people may
not be blocking spams based on BombRe but instead using the BombRe in
penalty box (I'm not doing this, and it may not even be possible).

There are certainly easy solutions around this, but we may just want to
modify the RegEx on the wiki so others don't have the same problem. I'd
do it myself if I were a bit more proficient with RegExs.

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Micheal
Espinola Jr
Sent: Thursday, October 26, 2006 4:11 PM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: Re: [Assp-user] BombRe

Aaron Allen wrote:
> It might not be a bad idea to modify the RegEx that is posted on the
> wiki as "penalties" should not score near as high as the word "penis."

That's not how ASSP works. You might be confusing functionality with
SpamAssassin. If a bombRe match happens, the message is blocked.
Period.

You can alter the bombRe line or simply add the address to your
whitelist.

------------------------------------------------------------------------
-
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Fritz Borgstedt

2006-10-26 20:25:59 UTC

Permalink

>I used the "scoring" analogy under the assumption that some people may
>not be blocking spams based on BombRe but instead using the BombRe in
>penalty box (I'm not doing this, and it may not even be possible).

It is possible and there is even the possibilty to have scoring *and*
blocking for the same bombregex depending where the regex is matched
(header/not header)
>

Micheal Espinola Jr

2006-10-26 20:29:15 UTC

Permalink

Aaron Allen wrote:
> I used the "scoring" analogy under the assumption that some people may
> not be blocking spams based on BombRe but instead using the BombRe in
> penalty box (I'm not doing this, and it may not even be possible).
>
> There are certainly easy solutions around this, but we may just want to
> modify the RegEx on the wiki so others don't have the same problem. I'd
> do it myself if I were a bit more proficient with RegExs.

I agree, but its a fine line to balance. Those Regular Expressions ares
written in a way to catch a wide variety of intentionally misspelled and
obfuscated versions of those words.

Whitelisted user are not normally subjected to the bombRe, so that is
typically a solution of bombRe issues. Right now it works, and
Whitelisted or No Processing users can bypass the list. I simply don't
have the time myself to refine the expressions right now.

I'm of course open to variations of the bombRe expressions if anyone
else would care to work on them.

Fritz Borgstedt

2006-10-25 21:30:23 UTC

Permalink

>
>Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for
>your clients and using SSL/TLS on that would allow all Internet mail
>to
>be scanned by ASSP and by routing outgoing email through ASSP would
>allow it to work as it should. Only internal email is not seen by
>ASSP.

There is:
SMTP Auth Destination

Port to connect to when connections arrive on the second Listen Port.
If blank all incoming mail will go to the main SMTP Destination, the
main use is to allow remote / travelling users to make authenticated
connections, and therefore inject their mail at the SPF-correct point
in the network. eg 127.0.0.1:587

Lars Troen

2006-10-25 18:34:48 UTC

Permalink

> about 90% (if not 95%) of the SMTP over TLS connection to my
> mail server was used by spammers....

I guess when Exchange 2007 hits the road in a couple of months, the
amount of legal TLS trafic will increase as it will always try to
deliver using TLS if available.

Lars

Micheal Espinola Jr

2006-10-25 19:25:38 UTC

Permalink

Lars Troen wrote:
> I guess when Exchange 2007 hits the road in a couple of months, the
> amount of legal TLS trafic will increase as it will always try to
> deliver using TLS if available.

Self-signed opportunistic TLS connections can only happen between two
Exchange servers.

Lars Troen

2006-10-25 19:28:25 UTC

Permalink

Micheal (how do you pronounce your name?) wrote:
> But, perhaps I don't understand the problem here. How can
> you get TLS-based spam if the connection doesn't have the
> proper certificate to make the connection?

Not a direct answer to this question, but atleast Exchange 2007 does not
care if the certificate is valid or not (encryption better than no
encryption). I guess other mail servers might have taken this approach
as well?

Lars

Micheal Espinola Jr

2006-10-25 19:37:43 UTC

Permalink

Lars Troen wrote:
> Micheal (how do you pronounce your name?) wrote:
>

:-) It's an alternate spelling of Michael. It's pronounced exactly the
same.

> Not a direct answer to this question, but atleast Exchange 2007 does not
> care if the certificate is valid or not (encryption better than no
> encryption). I guess other mail servers might have taken this approach
> as well?

Ah, OK. I'm starting to read up on "opportunistic TLS" now. I didn't
realize clients could arbitrarily do this. Thanks for the info.

Tim Young

2006-10-25 19:41:29 UTC

Permalink

With opportunistic ssl/tls, Communigate Pro does, sendmail can. Our
smtpguard server has a self-signed certificate and it does receive
server-to-server email, with the whole email encrypted, from a number of
sites that I do not know what technologies they use. Most of our
traffic is fully encrypted ssl/tls server-to-server email if it is
within our organization.

- Tim Young

Lars Troen wrote:
> Micheal (how do you pronounce your name?) wrote:
>
>> But, perhaps I don't understand the problem here. How can
>> you get TLS-based spam if the connection doesn't have the
>> proper certificate to make the connection?
>>
>
>
> Not a direct answer to this question, but atleast Exchange 2007 does not
> care if the certificate is valid or not (encryption better than no
> encryption). I guess other mail servers might have taken this approach
> as well?
>
> Lars
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Assp-user mailing list
> Assp-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>

Micheal Espinola Jr

2006-10-25 19:58:03 UTC

Permalink

Tim Young wrote:
> With opportunistic ssl/tls, Communigate Pro does, sendmail can. Our
> smtpguard server has a self-signed certificate and it does receive
> server-to-server email, with the whole email encrypted, from a number of
> sites that I do not know what technologies they use. Most of our
> traffic is fully encrypted ssl/tls server-to-server email if it is
> within our organization.

OK, the only question I have left about this thread is this, to the
people that are having TLS-related issues:

Your TLS port - is it allowing ONLY secure/encrypted communications,
or both TLS and SMTP?

I ask because I don't understand how or why a spammer would bother to
waste time and processing for encrypting their traffic when they can
just bang away on plain 'ol SMTP via tcp/25.

I'm getting a feeling that the TLS port in these cases is not configured
to allow *only* encrypted traffic.

brougham Baker

2006-10-25 20:23:25 UTC

Permalink

From: "Micheal Espinola Jr" <***@espinola.net>
> I ask because I don't understand how or why a spammer would bother to
> waste time and processing for encrypting their traffic when they can
> just bang away on plain 'ol SMTP via tcp/25.
>
> I'm getting a feeling that the TLS port in these cases is not configured
> to allow *only* encrypted traffic.

>

Tim Young

2006-10-25 21:18:30 UTC

Permalink

Our connection allows both encrypted and unencrypted emails to come in
on port 25. Our email server acknowledges the start-tls command. The
email communication initiates in plaintext, but with that command starts
to negotiate SSL/TLS.

The main issue relating to ASSP is that we are required, by a
long-standing internal policy, to have most of our emails come in
encrypted. For ASSP to work best, it should be the first interface. But
it does not do ssl/tls.

But, if I can get ASSP to do most of its processing off an IP which our
ssl/tls proxy has added to the smtp header, then all the functionality
will be available to me. I am not sure if there are other ssl/tls
proxies that do add the IP to the header the way our custom proxy does.
It might be more worth someone's effort to add ssl/tls to ASSP for
everyone, than for someone to help me with my simple problem which might
only help me.

- Tim Young

Micheal Espinola Jr wrote:
>
> OK, the only question I have left about this thread is this, to the
> people that are having TLS-related issues:
>
> Your TLS port - is it allowing ONLY secure/encrypted communications,
> or both TLS and SMTP?
>
> I ask because I don't understand how or why a spammer would bother to
> waste time and processing for encrypting their traffic when they can
> just bang away on plain 'ol SMTP via tcp/25.
>
> I'm getting a feeling that the TLS port in these cases is not configured
> to allow *only* encrypted traffic.
>
>
>

Eric B.

2006-10-26 03:12:38 UTC

Permalink

> But, if I can get ASSP to do most of its processing off an IP which our
> ssl/tls proxy has added to the smtp header, then all the functionality
> will be available to me. I am not sure if there are other ssl/tls
> proxies that do add the IP to the header the way our custom proxy does.
> It might be more worth someone's effort to add ssl/tls to ASSP for
> everyone, than for someone to help me with my simple problem which might
> only help me.

I second the motion. I would love to have SSL/TSL support in ASSP. I've
tried searching for an SMTP proxy that supports SSL/TSL, but have had little
success so far. If I could find such a proxy, then I'd be all good. Would
only need the SSL on the external end of the proxy. Once the proxy secures
the connection, it can transmit the external data encrypted, but my internal
connections can obviously all be done unencrypted.

Does anyone know if a proxy like that even exists? Am I wasting my time
searching for something like that?

Thanks,

Eric

James Brown

2006-10-26 03:21:04 UTC

Permalink

On 26/10/2006, at 1:12 PM, Eric B. wrote:

> I second the motion. I would love to have SSL/TSL support in ASSP

I third the motion!

paul+

2006-10-26 21:44:13 UTC

Permalink

On 25 Oct 2006 at 23:12, Eric B. wrote:

> Does anyone know if a proxy like that even exists? Am I wasting my time
> searching for something like that?

I've heard you can do SSL for authentication to a different port using something like stunnel, and
then forward the data on to ASSP secondary port. What you can't do (usefully at any rate) is have
TLS into your main external mail port (25).

Paul

Eric B.

2006-10-26 23:48:01 UTC

Permalink

> I've heard you can do SSL for authentication to a different port using
> something like stunnel, and
> then forward the data on to ASSP secondary port. What you can't do
> (usefully at any rate) is have
> TLS into your main external mail port (25).

Hmmm... that might be an interesting idea to try. Stop my current email
server from providing the SSL port (currently 465), use stunnel wrap it
instead, and then redirect it into ASSP port 25. In theory, should work....
hopefully.

I'll give that a shot in a couple of weeks when I get back from vacation,
and report back to let you know if it worked or not.

Thanks for the tip.

Eric

brougham Baker

2006-10-27 01:39:13 UTC

Permalink

From: <paul+***@blakecomp.co.uk>
> On 25 Oct 2006 at 23:12, Eric B. wrote:
>
> > Does anyone know if a proxy like that even exists? Am I wasting my time
> > searching for something like that?
>
> I've heard you can do SSL for authentication to a different port using
something like stunnel, and
> then forward the data on to ASSP secondary port. What you can't do
(usefully at any rate) is have
> TLS into your main external mail port (25).

The separate ports method is long depreciated- from 1999 ISTR (on a page
that I can't seem to find anymore.)
http://www.suspectclass.com/stunnel-tlsproxy/smtp-tls.README

Adding TLS to ASSP the RFC2487 isn't going to be easy- everything that you
learn about a connection before STARTTLS has to be forgotten and done again.
http://www.rfc-editor.org/rfc/rfc2487.txt

Bro

paul+

2006-10-27 08:45:00 UTC

Permalink

On 27 Oct 2006 at 2:39, brougham Baker wrote:

> The separate ports method is long depreciated- from 1999 ISTR (on a page
> that I can't seem to find anymore.)
> http://www.suspectclass.com/stunnel-tlsproxy/smtp-tls.README

Yes, TLS is intended to replace SSL, but the latter is still well-supported by clients and tools,
and provides a workaround when you require a secure connection to a mailserver protected by ASSP.

Paul

Guy Deslauriers

2006-10-25 20:14:46 UTC

Permalink

Kevin,

RFC2487 is telling us that SMTP over TLS can protect their communications
from eavesdroppers and attacks. I understand that as an encrypted
communication, no?

Why would usernames and passwords be sent on a SMTP connection?

I don't quite understand what you tried to explain....

gd

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Kevin
Sent: October 25, 2006 2:47 PM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: Re: [Assp-user] SSL/TLS proxy

Guy Deslauriers wrote:
> Tim, James,
>
> Did you guys check the percentage of spam VS legitimate mail using TLS?
>
> I had an issue with ASSP and TLS when I originally launched ASSP about a
> month ago, so I deactivated it to investigate the TLS necessity. I was
> quite surprised to find out that about 90% (if not 95%) of the SMTP over
TLS
> connection to my mail server was used by spammers....
>
> Since then, I disabled TLS and reactivated ASSP. For me SMTP over TLS is
> TOTALLY useless....
>
> I suggested to my users to use something like PGP or the likes if they
want
> their emails encrypted.
>

TLS is not about encrypting the email message it is for encrypting the
connection between the server and client and thus preventing their
user-name and password from being sent over an unencrypted connection.

Once the message is on the server or is sent by the server to another
server there is no encryption unless is is setup in advance between the
sending and receiving server. Also email stored on disk is not encrypted
in any way unless you use something like PGP as you stated.

As for the spammers using the TLS, I can't comment. My users submit on a
server that is not one of my MX servers and thus no spammers (aside from
random port scanners) use it.

Changing the SMTP submit port to 587 (as per rfc2476 Section 3.1) for
your clients and using SSL/TLS on that would allow all Internet mail to
be scanned by ASSP and by routing outgoing email through ASSP would
allow it to work as it should. Only internal email is not seen by ASSP.

Kevin

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Kevin

2006-10-25 20:34:25 UTC

Permalink

Guy Deslauriers wrote:
> Kevin,
>
> RFC2487 is telling us that SMTP over TLS can protect their communications
> from eavesdroppers and attacks. I understand that as an encrypted
> communication, no?
>
> Why would usernames and passwords be sent on a SMTP connection?
>
> I don't quite understand what you tried to explain....
>
> gd
>

The key work there is communications an SSL/TLS connection encrypts the
communication between the 2 parties it does NOT however encrypt the
actual content. Once the connections is severed and the email is sent
from the server to another server there is NO encryption unless
something like PGP or opportunistic SSL/TLS used, and even then only PGP
encrypts the actual message content.

SMTP-AUTH is why usernames and passwords would be sent over an SMTP
connection. ratner than explain it here i will point you to the RFC and
the wikipedia article.

http://en.wikipedia.org/wiki/SMTP-AUTH
http://tools.ietf.org/html/rfc2554

Kevin

Guy Deslauriers

2006-10-25 20:44:15 UTC

Permalink

Kevin,

"SMTP-AUTH" and "SMTP over TLS" are completely different subjects.

SMTP-AUTH is for client to server connection, as SMTP over TLS is for server
to server connection

gd

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Kevin
Sent: October 25, 2006 4:34 PM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: Re: [Assp-user] SSL/TLS proxy

Guy Deslauriers wrote:
> Kevin,
>
> RFC2487 is telling us that SMTP over TLS can protect their communications
> from eavesdroppers and attacks. I understand that as an encrypted
> communication, no?
>
> Why would usernames and passwords be sent on a SMTP connection?
>
> I don't quite understand what you tried to explain....
>
> gd
>

The key work there is communications an SSL/TLS connection encrypts the
communication between the 2 parties it does NOT however encrypt the
actual content. Once the connections is severed and the email is sent
from the server to another server there is NO encryption unless
something like PGP or opportunistic SSL/TLS used, and even then only PGP
encrypts the actual message content.

SMTP-AUTH is why usernames and passwords would be sent over an SMTP
connection. ratner than explain it here i will point you to the RFC and
the wikipedia article.

http://en.wikipedia.org/wiki/SMTP-AUTH
http://tools.ietf.org/html/rfc2554

Kevin

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Micheal Espinola Jr

2006-10-25 20:52:01 UTC

Permalink

Guy Deslauriers wrote:

> SMTP-AUTH is for client to server connection, as SMTP over TLS is for server
> to server connection

I don't believe either of those statements is true. The reverse could
be said for either.

Kevin

2006-10-25 20:53:18 UTC

Permalink

Guy Deslauriers wrote:
> Kevin,
>
> "SMTP-AUTH" and "SMTP over TLS" are completely different subjects.
>
> SMTP-AUTH is for client to server connection, as SMTP over TLS is for server
> to server connection
>
> gd
>

Did you miss that whole first paragraph?

You said "Why would usernames and passwords be sent on a SMTP
connection?" I explained why.
I NEVER said what type of connection it was.

>
> The key work there is communications an SSL/TLS connection encrypts the
> communication between the 2 parties it does NOT however encrypt the
> actual content. Once the connections is severed and the email is sent
> from the server to another server there is NO encryption unless
> something like PGP or opportunistic SSL/TLS used, and even then only PGP
> encrypts the actual message content.
>
> SMTP-AUTH is why usernames and passwords would be sent over an SMTP
> connection. ratner than explain it here i will point you to the RFC and
> the wikipedia article.
>
> http://en.wikipedia.org/wiki/SMTP-AUTH
> http://tools.ietf.org/html/rfc2554
>
>
> Kevin
>

Eric B.

2006-10-25 20:54:58 UTC

Permalink

> "SMTP-AUTH" and "SMTP over TLS" are completely different subjects.
>
> SMTP-AUTH is for client to server connection, as SMTP over TLS is for
> server
> to server connection

How do your clients authenticate & connect to your SMTP port then to send
email? Using SSL/TLS gives the email client the ability to perform
SMTP-AUTH securely without having usernames/pws sent in the clear. If you
are only running internal clients, you might just have an open relay for
internal addresses, which would alleviate the need for SMTP-AUTH altogether,
but people like me need to provide an option to allow external clients to
connect to the server to send email. Hence the need for SMTP-AUTH or
PopBeforeSMTP.

Please correct me if I am wrong.

Eric

Guy Deslauriers

2006-10-25 21:07:16 UTC

Permalink

I hear ya Kevin,

I misread your answer, sorry...

gd

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Kevin
Sent: October 25, 2006 4:53 PM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: Re: [Assp-user] SSL/TLS proxy

Guy Deslauriers wrote:
> Kevin,
>
> "SMTP-AUTH" and "SMTP over TLS" are completely different subjects.
>
> SMTP-AUTH is for client to server connection, as SMTP over TLS is for
server
> to server connection
>
> gd
>

Did you miss that whole first paragraph?

You said "Why would usernames and passwords be sent on a SMTP
connection?" I explained why.
I NEVER said what type of connection it was.

>
> The key work there is communications an SSL/TLS connection encrypts the
> communication between the 2 parties it does NOT however encrypt the
> actual content. Once the connections is severed and the email is sent
> from the server to another server there is NO encryption unless
> something like PGP or opportunistic SSL/TLS used, and even then only PGP
> encrypts the actual message content.
>
> SMTP-AUTH is why usernames and passwords would be sent over an SMTP
> connection. ratner than explain it here i will point you to the RFC and
> the wikipedia article.
>
> http://en.wikipedia.org/wiki/SMTP-AUTH
> http://tools.ietf.org/html/rfc2554
>
>
> Kevin
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Dickson, Paul

2006-10-26 13:45:58 UTC

Permalink

On a related note: I haven't taken the time to look, by my assumption is
that the regex below will block the correct spelling of penis. I think
that is likely to be used somewhat frequently in legitimate email.
Government agencies, law firms, personal emails discussing health
issues, etc etc.

Considering that, I usually only try to create regex's that will
identify common misspellings, but not the correct of such words.

IMHO, I wouldn't post the regex below as is on the WIKI as a
recommendation from the community.

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Aaron
Allen
Sent: Thursday, October 26, 2006 9:30 AM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: [Assp-user] BombRe

We have been using the recommended RegExs for BombRe that are posted on
the wiki. Yesterday I had an e-mail from our attorney that was being
blocked because of a spam bomb. Apparently the word "penalties" will
match this RegEx:

\bP+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[I1!|
lt\xEC-\xEF]+\s?\S?\s?\W?[S$5]\b#
PENIS

It might not be a bad idea to modify the RegEx that is posted on the
wiki as "penalties" should not score near as high as the word "penis."

------------------------------------------------------------------------
-
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Dickson, Paul

2006-10-26 14:38:17 UTC

Permalink

The hoodia expression was also blocking '***@fredco-md.net"

-----Original Message-----
From: assp-user-***@lists.sourceforge.net
[mailto:assp-user-***@lists.sourceforge.net] On Behalf Of Aaron
Allen
Sent: Thursday, October 26, 2006 9:30 AM
To: Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
Subject: [Assp-user] BombRe

We have been using the recommended RegExs for BombRe that are posted on
the wiki. Yesterday I had an e-mail from our attorney that was being
blocked because of a spam bomb. Apparently the word "penalties" will
match this RegEx:

\bP+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[I1!|
lt\xEC-\xEF]+\s?\S?\s?\W?[S$5]\b#
PENIS

It might not be a bad idea to modify the RegEx that is posted on the
wiki as "penalties" should not score near as high as the word "penis."

------------------------------------------------------------------------
-
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Micheal Espinola Jr

2006-10-26 20:11:10 UTC

Permalink

Dickson, Paul wrote:
> The hoodia expression was also blocking '***@fredco-md.net"

Whitelist or NP list the address. Or come up with a better expression.

I don't have issues with the Regular Expression in my own legal
environment (a local Bar Association), because all my attorneys are
whitelisted.