|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Case ITS SMTP policy
Version: 1.1.1
Created: 2003 August 27
Christopher Ursich
Policy text
===========
Part 1) Connections
originating outside the Case network to the SMTP port
(port 25) of
hosts on the Case network will be blocked.
System administrators
who need to operate independent mail systems should
contact ITS to
request an exception to Part 1.
Part 2) Connections originating on
the Case network to the SMTP port of
hosts outside the Case network
will be blocked. All mail destined for
hosts outside the Case network
must be directed through the ITS-run SMTP
server, smtp.case.edu.
ITS will grant exceptions to Part 2 for the following reason(s),
based on
their strong technical merit:
* Message size limit
The ITS-run SMTP service currently limits the size of a message
to 50 MB.
If University business cannot be conducted under this
limit, mail system
administrators should contact ITS to request an
exception to Part 2 until this changes.
Rationale
=========
The implementation of this policy has several
benefits:
1) Fewer problems with open mail relays
An open
mail relay is a host which indiscriminately accepts and forwards email.
They are often a result of poor configuration and maintenance by a mail
server's administrator. Malicious people on the Internet use various
means to identify open relays. They then direct malicious, annoyance
or advertisement email spam through the open relay to other people. By
using the relay, the spammer makes his actions more difficult for
security personnel (including civic law enforcement) to track down. By
blocking SMTP traffic as described in the policy, spammers' ability to
identify and exploit open relays on the Case network is severely
curtailed.
2) Fewer email spam and virus problems
Email is a common
means for email spam, computer viruses and other malware
to spread on a network.
For several years, ITS has provided anti-virus software for
Windows and Macintosh systems free of charge on the Software
Center,
and advertised its availability. Unfortunately, recent virus
outbreaks
demonstrate that not enough people are taking advantage of this
offering. These outbreaks have caused the distribution of confidential
documents, and delays in mail delivery. To further address the
problem, ITS purchased and deployed a set of anti-virus/anti-spam email
filtering devices. By
requiring all mail entering and leaving the University to pass through
the ITS-run mail
system (and hence, these devices), spam and virus propagation
will be reduced.
3) Fewer instances of blacklisting
When
other organizations on the Internet receive unwanted email from Case,
they sometimes choose to reject all mail from us, an action known as
"blacklisting." This has happened multiple times. In addition, there
exist Internet blacklisting services to which organizations may
subscribe, so that all subscribers will know to begin rejecting mail
from a perceived offender. This is a situation we must avoid.
Suppose, for example, MSN.com or Yahoo.com began rejecting mail from
everyone at Case because of a single open mail relay or virus-infected
system. Clearly, ITS cannot allow communications to be disrupted in
this way.
4) Improved mail auditing
It is sometimes necessary to track down the source or ultimate disposition
of an email message. This process requires ITS to review the cumulative
delivery information the message contains. Unfortunately, in messages
sent by viruses, this information is often falsified. In addition,
because a message may traverse multiple, varied mail systems in order to
be delivered, the delivery information is incompletely reliable. By
requiring all mail entering and leaving the University to pass through the
ITS-run mail system, we can guarantee a reliable and consistent point of
audit, logging, troubleshooting, etc.
5) Improved mail system
management
As a result of this policy, ITS will have an
authoritative list of the mail servers operating on the Case network.
This knowledge makes vulnerability assessment, system administrator
education, and remediation practical for the first time.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for
non-commercial use
iQA/AwUBP5132n2+z//CAlyPEQLjUQCeMfmsUiNKLijKPBCzezmraT5v4LQAn3B2
jl7cYHLg+lJIQas3hS63LGpK
=ooOt
-----END PGP SIGNATURE-----
|
