On Wed, 2004-11-03 at 09:31, Alexander Dalloz wrote:
> Am Mi, den 03.11.2004 schrieb Ow Mun Heng um 2:05:
>
> > The other concern with this and the method of using MSAs is
> > * It does not have any milters/filters in place. what's stopping
> > spam/malware etc from coming in through that path?
>
> If you don't explicitly bind the milters to the MTA only, they are used
> with the MSA too.
>
Interesting. My submit.{cf | mc} does not contain a lot of things except
for the default MSP to use.
How can one Explicitly bind the milters then?
> > * How much do you trust authenticating users? When malware gets
> > sent (unknown to the orginator) does it send through the users
> > MUA (eg: if users are using Outlook(R)
>
> In which way is that specific for using the MSA? If you have a worm on a
> Windows[tm] machine being able to use the auth data saved within the
> mail program, then it does not matter whether you use the MTA or the
> MSA. As server administrator you can hardly handle such cases. Only if
> you have a close eye on the logs and you observer suspicious sendings.
That statement was closely related to my 1st point eg: If the MSA does
not run any milters. Then it _would_ matter wouldn't it?
> > I believe that sendmail is right to instruct that the MSA only be used
> > on internal systems. (and if there's a choice, only for the sending
> > system and not to accept from other connections on the LAN). I guess it
> > also depends, how much you trust systems within your LAN or otherwise
>
> If you don't open the default MSA - means without authentication
> enforcement -, then I wouldn't see the problem you see.
Okay, let's put it this way. For users such as myself, who uses *nix and
is sure that there are _no_ malware that affects 99% of the non
*nix/*bsd systems, then usage of the MSA w/o any milters is useful.
If however, the original poster only wanted to open up a MTA/MSA for his
user that has port 25 blocked by the ISP, I see no reason in just
running another MTA in another port for that user. (but frankly, all
that trouble for the 1 user? hehe) Better yet, port-forward the default
port 25 to another server running a MTA on say port 2525. That way,
there's only 1 listening MTA.
