4

I provide IT Services to a client who, for the longest time in the world, has been using a POP3 server from Network Solutions to handle their email.

At this time, I'm introducing the McAfee SaaS email protection to give their email some type of security and filtering.

Well, turns out Network Solutions' POP3 services don't play well with McAfee.

Essentially, in McAfee, I provide the SMTP address, port # and test the connection. That works. I change the MX records to what McAfee wants. That works fine.

My issue is SMTP authentication. Network Solutions requires this. However, McAfee doesn't provide anything to pass on authentication (when I send an email to my client, it goes from me, to McAfee filter system, and McAfee hands off the email to Network Solutions). When McAffe is handing off the email, Network Solutions rejects it because there is no authentication taking place - and my email is rejected and sent back to me.

After much discussion with McAfee and Network Solutions, our only available solution is to disable authentication. This was AFTER I had two whole domains whitelisted to bypass authentication.

Before turning off SMTP authentication, I'm curious what the security risks are. If a computer were to become compromised, couldn't a hacker/spammer take control of that computer and possibly send thousands of emails at their will? (because w/SMTP authentication off, the computer - or more like the users' Outlook outgoing server options - no authentication is needed).

I'm concerned about the security risks. Network Solutions said they would turn it off, but cautioned me not to. Just curious what others would say about this....

Thanks for conversation...

steve02a
  • 95
  • 1
  • 8

3 Answers3

1

To be pedantic, one doesn't enable or disable SMTP authentication on a POP3 server. They are completely separate services (though one really irritating configuration, POP-before-SMTP, uses one to authenticate for the other). It doesn't sound like you're talking about POP3 much; no authentication on POP3 would be allowing anyone and everyone to claim any user's emails, like leaving every mailbox unlocked. No SMTP authentication is allowing anyone and everyone to deposit mail with whatever return address for delivery.

What you should do is configure your SMTP servers to accept emails only from your McAfee-running systems that are filtering outgoing mail. Then, set up SMTP authentication on the McAfee filtering servers. This is a little weaker because someone could pretend to be the McAfee servers and send spam as you; you'll have to secure against that (eg. network level authentication or something).

If you can't set up SMTP authentication on your McAfee filtering servers because they are really bad at life and don't support it, set up an additional set of mail servers which do, configure McAfee's software to only accept mails from them, and enable authentication on them.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Falcon - thanks for the reply. This is one thing I have been struggling with. On one hand, my client doesn't want to move from POP3 to exchange (in house or hosted) since their POP3 is free. On the other hand, McAfee provides no way to send authentication details to Network Solutions. I did consider putting an email server in-between, but it's just too much overhead and my client didn't want to pursue that. – steve02a Feb 10 '13 at 23:23
  • Good luck then. I'm amazed every day at the basic things "security" companies and auditors mess up; they have certainly put you in a situation. – Falcon Momot Feb 11 '13 at 04:12
1

Just a quick follow up on this ancient question, but McAfee does not provide SaaS email protection to POP3 email services any longer, and the customer has since moved to a hosted email which provides its own security - so my original question is irrelevant now (but I can't remove it). Thank you though, to everyone who replied.

steve02a
  • 95
  • 1
  • 8
0

Your clients are currently using SMTP to send their email via the ISPs SMTP service. Don't change this, and definitely don't turn off SMTP authorisation unless your client wants to help spammers.

If your clients trust their staff not to send spam or viruses, then you could just configure their email clients to send directly via the ISP smtp address, rather than via the McAfee filter.

Incoming mail sent to their server will still get filtered through McAfee, which is probably all the client is bothered about.

Outgoing mail never goes to McAfee at all.

If you stop thinking about email as a single service, and think in terms of a sending mail service and a receiving mail service (which is still a bit of an oversimplification), this makes more sense. They only need filtering for the mail they receive, but not what they send.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Dunxd - you're correct - they only need inbound filtering (i.e. I send and email to User X). The filtering takes place, of course, after I change their MX records. The McAfee has no problem accepting my email and filtering it. The problem is when McAfee tries to hand it off to Network Solutions pretty much saying "hey, here's an email for User X - take it" and Network Solutions says..hey, you didn't authenticate yourself, I'm rejecting this email. And since McAfee has no way to authentic - email doesn't work. – steve02a Feb 11 '13 at 21:02
  • and now I'm working with my client to convince them to move to a hosted email (exchange or google apps premier) so for one, they don't have these 20+GB PST files sitting on the computers and 2, for better security whereas I CAN implement the McAfee filter system. – steve02a Feb 11 '13 at 21:03
  • So how did any mail get delivered to your mailboxes before you implemented this? You only need SMTP authentication for mail that is to be relayed to another server, not mail destined for the server. Sounds to me like you have changed a setting on your server from how it was before. Sure - your mailserver could be configured to only allow mail to be received by a given provider (e.g. your filtering company) - if McAfee doesn't support that feature then to be honest you should take your business elsewhere! – dunxd Feb 11 '13 at 21:28