topic Re: Allow 8-bit Charakters and Source-Routed Addresses in Operating System - Linux

Allow 8-bit Charakters and Source-Routed Addresses

'chris' — Tue, 15 Dec 2009 14:49:47 GMT

hi

I have 2 additional options in SMTP service at our firewall:

Allow 8-bit Charakters
Allow Source-Routed Addresses

Can someone pls explain?
Should I disable or enable?

Re: Allow 8-bit Charakters and Source-Routed Addresses

Matti_Kurkela — Tue, 15 Dec 2009 17:16:42 GMT

> Allow 8-bit Charakters

If this is disabled, any characters outside the basic US-ASCII set may cause problems: either the mail is rejected altogether, or the "problem" characters stripped away or changed.

Many email servers can recode an email that contains 8-bit characters so that it can pass through a link that disallows 8-bit characters - but this must be detected before the message is passed through the link, otherwise information is lost. This is why email servers that support 8-bit characters will usually announce that when responding to a connection attempt.

A system that allows 8-bit characters to pass through is also known as "8-bit clean", as it allows data with 8-bit characters to pass through as-is without extra conversion steps, providing a more efficient transfer.

I would recommend that you enable this option. Disabling it is necessary only if you have a legacy email system that cannot handle 8-bit characters.

> Allow source-routed Addresses

This would allow the sender to specify the route the message should take on its way to destination; i.e. "go from Point A to Point B via C, then D, then E".

This feature was originally designed to work around network problems, but these days it is not needed and few people would know how to use it legitimately. Furthermore, because of the junk email problem, any email administrator with a clue will set his/her mail server to not accept email from outside unless it is addressed to his/her users, so it would be very difficult to find useful routing points.

Source-routed addresses can be found at the IP protocol level too. The same rule applies: any source-routed traffic coming in from Internet is most likely intended to deceive you or your systems in some way, and should never be accepted.

Always disable this option in a firewall.

MK

Re: Allow 8-bit Charakters and Source-Routed Addresses

Steven E. Protter — Tue, 15 Dec 2009 20:11:57 GMT

Shalom,

Anything other than standard characters will complicate authentication. Don't do it, you do not need the hassle.

You should use your firewall as an smtp relay only. Set the DS variable in sendmail.cf or sendmail.mc (followed by an m4 compile) and let the firewall do the work.

SEP

Re: Allow 8-bit Charakters and Source-Routed Addresses

'chris' — Tue, 15 Dec 2009 20:31:21 GMT

Can I ask, if these additional SMTP options:

Allow BDAT/CHUNKING
Allow Remote Message Queue Starting
Allow ATUH

should be disabled or enabled at my firewall?

Re: Allow 8-bit Charakters and Source-Routed Addresses

Steven E. Protter — Tue, 15 Dec 2009 21:14:00 GMT

Shalom,

Your firewall should disable all remote access.

The only thing your firewall should do is relay outbound smtp traffic to the public Internet.

SEP

Re: Allow 8-bit Charakters and Source-Routed Addresses

'chris' — Tue, 15 Dec 2009 22:36:44 GMT

Thx, but we have a mail server in the DMZ, so incoming SMTP must be enabled.

What about

Allow BDAT/CHUNKING
Allow Remote Message Queue Starting
Allow ATUH

for the incoming SMTP?

Re: Allow 8-bit Charakters and Source-Routed Addresses

Steven E. Protter — Tue, 15 Dec 2009 22:48:04 GMT

Okay Chris,

Configure the firewall to forward port 25 traffic to the mail server designated to handle inbound mail.

I do not think any of the options mentioned are necessary.

SEP

Re: Allow 8-bit Charakters and Source-Routed Addresses

'chris' — Wed, 16 Dec 2009 00:06:20 GMT

Thx, but can someone pls explain these options?

Re: Allow 8-bit Charakters and Source-Routed Addresses

'chris' — Wed, 16 Dec 2009 00:26:51 GMT

According to the Watchguard Manual:

"Allow BDAT/CHUNKING"
Select to allow BDAT/CHUNKING. This enables large messages to be sent more easily through SMTP connections.

"Allow ETRN" (Remote Message Queue Starting)
This is an extension to SMTP that allows an SMTP client and server to interact to start the exchange of message queues for a given host.

"Allow AUTH" checkbox. This is the optimal setting for most mailservers.

but still cannot understand what's Allow AUTH" means.

Re: Allow 8-bit Charakters and Source-Routed Addresses

Matti_Kurkela — Wed, 16 Dec 2009 09:25:31 GMT

> Allow AUTH

This refers to SMTP AUTH functionality, i.e. authentication.

If you have users that must access your email system remotely and you don't have a VPN service for them, you'll need a way to allow your remote users to use your SMTP server to send mail out from your company using your company's domain name. (If they would try that with their local ISP's email server, the emails would be rejected as forgeries by most spam filters.)

To allow this without making your server an "open relay" (= allow anyone on the Internet to use your SMTP server to send email to anyone, making it look like your company has sent it), you'll need authentication.

If your SMTP server has been configured to allow/use authentication, you'll need to "allow AUTH" or else it does not work.

But if your SMTP server has not been configured for authentication, there is no reason to allow this.

MK