Re: Firewall and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2004-11-02 at 17:00, Paul Howarth wrote:
> On Mon, 2004-11-01 at 18:55, Leonard Isham wrote:
> > I suspect that these are the reasons sendmail.org recommends firewalling MSA:
> > 
> > Meant to be less strict on standards compliance
> >     * Addresses don't have to be fully qualified
> >     * Hostnames don't have to be fully qualified
> >     * Don't require "required" headers, e.g. Message-ID: and Date: 
[SNIP]
> Hence the advice of firewalling it off from external
> clients. However, there is another way to prevent this, i.e. by setting
> up the MSA with the "a" daemon flag, like this:
> 
> FEATURE(`no_default_msa')dnl
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
> 
> The "a" flag makes the MSA require authentication from any client
> connecting to it. This is how to ensure that only genuine roaming users
> with the right username/password can access the MSA, without leaving it
> open to anybody attempting local delivery.

Hey Paul...
	How did you locate the M=Ea option. Is it anywhere in the sendmail doc?
(not online meaning)

The other concern with this and the method of using MSAs is
      * It does not have any milters/filters in place. what's stopping
        spam/malware etc from coming in through that path?
      * How much do you trust authenticating users? When malware gets
        sent (unknown to the orginator) does it send through the users
        MUA (eg: if users are using Outlook(R)

I believe that sendmail is right to instruct that the MSA only be used
on internal systems. (and if there's a choice, only for the sending
system and not to accept from other connections on the LAN). I guess it
also depends, how much you trust systems within your LAN or otherwise

my 2 cents.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux