1

I'm planning on creating a simple SMTP Server to auto parse incoming emails to integrate into an application. I chose this method over polling a pop3 account so that I can get instant notification.

Not knowing a whole lot about server protection, I was wondering what I should do to protect against attacks?

The SMTP server will be a .NET app running on Windows Server 2008. My plan is to only allow incoming content, and only emails "to" a whitelist of known email addresses defined within the application.

Matt Brailsford
  • 111
  • 2
  • An SMTP port threat? I wan't aware that there was such a thing. What kind of "attacks" are you envisioning? – joeqwerty Mar 13 '11 at 05:11
  • @joeqwerty Sure, why wouldn't there be? Pick your flavor: [Microsoft](http://www.microsoft.com/technet/security/bulletin/ms05-021.mspx)? How about [exim](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4344) or [postfix](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936)? – Shane Madden Mar 13 '11 at 06:02
  • @Shane: Regardless of the MTA used, what is an SMTP port threat? – joeqwerty Mar 13 '11 at 11:30

1 Answers1

3

From a security perspective, rolling your own SMTP stack is a very bad idea.

You said that POP3 won't work because you want instant notification; I'd suggest looking into IMAP (specifically, the IDLE command). All the instant notification without the internet-exposed custom TCP socket!

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • +1 for the security tip – poke Mar 12 '11 at 20:02
  • @Shane, any chance you can explain why it's a bad idea? – Matt Brailsford Mar 12 '11 at 20:10
  • I agree that's not a great idea. Mail servers will be connecting to your port and you will have to write the service to handle everything that the incoming mail server would possibly do. That's what existing SMTP servers are for. You can achieve instant notification in your app with an asynchronous worker thread that runs in the background handling your mailbox work. – BoxerBucks Mar 12 '11 at 21:15
  • 1
    @Matt With an internet-facing TCP socket, the first concern would be buffer overflows, but there are a number of potential attack points, beyond just the socket listener itself. A screwed up regex in the parsing code could allow a crafted payload in something getting passed to your message handler, for instance. – Shane Madden Mar 13 '11 at 06:21
  • @Shane: Could you elaborate on your comment? What attack points are you referring to? Also, if there exists a real threat by allowing incoming SMTP connections why aren't more SMTP servers afflicted? I can't say that I've ever heard of an MTA being attacked by malicious code, or a screwed up regex, or a buffer overflow. Not that it couldn't happen in theory but I've never heard of it. – joeqwerty Mar 13 '11 at 19:41
  • 1
    @joeqwerty Read my response to your comment on the question. The vulnerabilities linked are all in the SMTP stacks of the referenced MTAs. You seem to be saying that there's no inherent weakness in the protocol defined in [RFC 821](http://www.ietf.org/rfc/rfc0821.txt), which is true. However, that does not mean that an SMTP socket listener cannot be vulnerable to attacks. [Ask IBM just last month.](http://www.zerodayinitiative.com/advisories/ZDI-11-049/) – Shane Madden Mar 13 '11 at 19:52
  • @Shane: Not at all, I'm only saying that I've never heard of it and that if the threat truly exists, why it doesn't affect more MTA's. You'd assume that yahoo, gmail, and hotmail would be prime targets but I've never heard or read about them being under any sort of SMTP threat/port attack. – joeqwerty Mar 13 '11 at 23:29