Is SmtpProxy a Security Hole?

If not configured and accessed correctly, SmtpProxy could create a security hole that Evil Spammers could take advantage of.  The reason that most SMTP Servers require an encrypted connection is to make it very difficult for the Evil Spammers to steal your password.  Once they have your password, they can start sending billions of emails of dubious value.

The worst part of this, aside from the billions of unwanted emails, is that your email provider will probably punish you by suspending your email account.  What else can they do?  As far as your email provider can tell, you’ve become an Evil Spammer and suspending your account is The Right Thing To Do.

So, can SmtpProxy be used safely? Absolutely.  Like most tools, it comes down to understanding what you’re doing and knowing what to look out for.

Security Starts with Good Borders

SmtpProxy is really no different than any other software that communicates over the Internet.  In order to be sure it is not misused you must have good borders.  These borders are usually called firewalls.

Firewalls come in all different sizes and shapes.  Some firewalls are simply software programs that monitor network traffic in and out of your computer.  Windows has had a very useful firewall built into it for many years now.

Other firewalls are built into hardware like network routers.  Wherever, they are located firewalls prevent certain traffic from entering your computer or network.

If you make sure that only trusted computers and programs can access SmtpProxy, then you can feel confident that you are not exposing your email password.

SecureTheBoundaries

Option 1: Install SmtpProxy on the Email Client

This is the easiest and safest way to use SmtpProxy.  Follow these simple steps:

  • Install SmtpProxy on the same computer as the Email Client
  • Configure SmtpProxy to listen on a non-standard port such as 7000
  • Make sure you have a software firewall configured to block any connections on port 7000

To test this setup, simply try to connect to SmtpProxy from another computer on the same network. 

Option 2: Install SmtpProxy on an internal network

This is easier if you have quite a few client computers and you want all of them to be able to use SmtpProxy.  Follow these steps:

  • Install SmtpProxy on a computer that everyone on your network can access
  • Configure SmtpProxy to listen on a non-standard port such as 7000
  • Make sure you have a software firewall configured to only accept connections on port 7000 from computers on your local network
  • For even better security, use a hardware firewall/router that prevents outside computers from connecting to your network on port 7000

To test this setup, try to connect to SmtpProxy from a computer outside of your network.

Last edited Jun 12, 2011 at 12:13 AM by dougclutter, version 3

Comments

No comments yet.