Delivery at the University of Guelph
Background flow has dramatically increased in the past few years (~2,000,000 msgs/week) This increase has resulted in: An extensive increase in viruses CCS instituted virus scanning in mail flow A massive increase in spam CCS instituted Realtime Blackhole List CCS instituted spam filtering service
The steady increase in compromised machines has resulted in: –A negative impact on network and University reputation –Increased demand for CCS resources to identify problems –Increased demand on departmental resources to correct problems
Necessary Action Better control of flow on/off campus We need to restrict the flow of on/off campus through centrally managed hosts. This will result in: All being virus scanned All passing through preliminary spam filtering All being spam “scored” The limiting of compromised machines to propagate viruses/spam back out onto the internet Proactive notification of virus infected machines Less resources committed to chasing related compromises Improved reputation of the University
Current Mail Flow Internet CCS Mail Servers Dept Mail Servers U of G Workstations
Future Mail Flow Internet CCS Mail Servers Dept Mail Servers U of G Workstations
Delivery Architecture travels across the network using the SMTP (Simple Mail Transfer Protocol) port (ie port 25) of destination hosts. In order to provide a secure and protected environment on campus, CCS will develop the following architecture to control the use of the SMTP port: All mail destined for hosts inside the uoguelph.ca network must pass through the CCS SMTP service. Connections originating outside the uoguelph.ca network to the SMTP port of any host (other than authorized CCS hosts) of the uoguelph.ca network will be blocked. All mail destined for hosts outside the uoguelph.ca network must pass through the CCS SMTP service (outbound.mail.uoguelph.ca). Connections originating inside the uoguelph.ca network from any host (other than authorized CCS hosts) going directly to the SMTP port of hosts outside the uoguelph.ca network will be blocked. Unauthorzied attempts to circumvent these measures will be considered a violation of the Acceptable Use Policy and Guidelines.
Impact As 95%+ of mail is already delivered through centrally managed mail servers, impact will be minimal. A few departments will need to change Some personal workstations will need to change CCS will work with individual departments to phase in the changes by the end of August.
So Far…. Discussion and widespread support at ITSIG Introduction of SMTP controls on ResNet Departments beginning to align