How vulnerable am I when I leave SMTP open on my Web server?

Forum Moderators: open

Message Too Old, No Replies

How vulnerable am I when I leave SMTP open on my Web server?

using SMTP to send e-mail with ASP

lebhead

10:03 pm on May 1, 2003 (gmt 0)

Hi. I'm running a Win2K Web server that's hosting the company site, which is built with ASP pages. One of the key functions of ASP that I will be using is its capabilities to send e-mail. I know the general rule is that when you are running a Web server that you should leave off practically all extra services (like ftp and smtp) for security, but I can't see a way around using smtp or even ftp on my Web server.

How vulnerable am I, and is there anything that I can do to better protect my server?

Thanks in advance.

drbrain

10:46 pm on May 1, 2003 (gmt 0)

You don't need to be running an SMTP server to send mail, only to recieve mail. You can just as easily point your web apps at your regular mail server, and you don't have to worry about patching another service on two separate boxes.

If you need to recieve mail, you can set up a POP, IMAP, or some other transfer from the mail server to the web server.

marcs

2:03 am on May 2, 2003 (gmt 0)

You can run SMTP on that server if you need it to send mail. Simply make sure it is not an open relay.

SMTP *is* used to send mail BTW, not to receive it as the other poster claimed.

As to FTP, if this is a remote server and you need to upload files to it, you'll need some way of doing that. FTP is an option, SSH could work, that's up to you.

Stay current with patches and you should be as Ok as you can be.

neh2008

2:25 am on May 2, 2003 (gmt 0)

I have tried to install SSH Server 2ice and failed mainly because I didn't get the right Server Package.

Can you please point me to where to download the SSH Server from? For Win2K, btw.

Thanks a bunch,
Nehal

kwngian

1:30 pm on May 3, 2003 (gmt 0)

marc

>SMTP *is* used to send mail BTW, not to receive it as the
>other poster claimed.

SMTP is used for recieving mails as well. How else is others going to send mail to you? Your mail server will have to listen on port 25 to receive mails from others.

For IIS installation, I think it should be alright to leave it enabled since it only serve as a relay server for the machine running IIS so no one else can send emails through it.

You should be more concern about the recent upsurge in CodeRed and Nimda and use IIS lockdown tool to lock down your server from exploits.

drbrain

5:18 pm on May 5, 2003 (gmt 0)

To clarify, you need an SMTP server somewhere, but not necessarily on the same box.