FW: job screening question

(now copied to list as well)

"What TCP destination port numbers should be allowed through the
perimeter stateful firewall device to and from a mail server whose
only purpose is to proxy SMTP mail from internal sources?"
(one number answer)

Short Answer: There is no answer to the question that can be expressed in
one number.

Sure there is, if you count "none" as a number.

None, NIL, NUL, NULL would be valid I suppose if nulls were permitted. 0 however is not correct.

Outbound connections to TCP destination port 25 only. Returning traffic
(including associated ICMP) should be automatically handled by your stateful
inspection firewall. If not, you need to buy a better firewall.

I'd allow 25 and 465 outbound, myself. No reason to block SSL if the remote
side offers the capability.


SMTPS is deprecated and port 465 is no longer registered for SMTPS (SMTP over SSL), it is now for

    <description>URL Rendesvous Directory for SSM</description>

So even though many folks may still run SMTPS on port 465, you SHOULD be using STARTTLS on port 25.

ICMP wouldn't be a TCP destination port number anyway.

Very true. The again, there is a significant proportion of the same experts who think DNS only runs over UDP ...

> Any applicant who provides any answer should the rejected out of hand as
(a) being unable to read (b) being a threat to security.

LoL... Some truth to that.

You would be surprised how many people think that if you
permit tcp host x.x.x.x any eq 25
to let traffic out, then you need
permit tcp any eq 25 host x.x.x.x
as the inverse to permit returning traffic.

This is more of a problem when using packet filtering than it is when configuring stateful inspection firewalls. Nonetheless, the question does ask what should be opened "to and from" in order to "proxy SMTP mail from internal sources".

It could of course just be a brilliant question designed to detect such problems ...