On Wed, 2004-11-03 at 10:37, Alexander Dalloz wrote: > Am Mi, den 03.11.2004 schrieb Ow Mun Heng um 3:13: > > How can one Explicitly bind the milters then? > > Paul posted it recently, so did I. It is set via the sendmail.mc in the > sendmail.cf. See Paul's posting: > > http://marc.theaimsgroup.com/?l=fedora-list&m=109845682807103&w=2 > http://marc.theaimsgroup.com/?l=fedora-list&m=109884722321154&w=2 Thanks. (Do you have the title of your email instead? I don't have I-net access but I have like 40,000 mails from Fedora Mail List cached Locally) > > > > > * How much do you trust authenticating users? When malware gets > > > > sent (unknown to the orginator) does it send through the users > > > > MUA (eg: if users are using Outlook(R) > > > > > > In which way is that specific for using the MSA? If you have a worm on a > > > Windows[tm] machine being able to use the auth data saved within the > > > mail program, then it does not matter whether you use the MTA or the > > > MSA. As server administrator you can hardly handle such cases. Only if > > > you have a close eye on the logs and you observer suspicious sendings. > > > > That statement was closely related to my 1st point eg: If the MSA does > > not run any milters. Then it _would_ matter wouldn't it? > > I don't understand why that depends on any milter? Sendmail handles the > authentication by using SASL. How should any daemon (not Sendmail > specific question) distinguish valid and "stolen" auth data? Do you have > any sophistic milter in mind? You misunderstood me. I'm not talking about auth and the like. (meaning, since outlook (r) caches the auth etc.. it's meaningless actually once comprimised) I was merely stating that MSAs, (like mine) does not have milters binded. (at least I think it doesn't, whcih I need to check) > > > > > I believe that sendmail is right to instruct that the MSA only be used > > > > on internal systems. (and if there's a choice, only for the sending > > > > system and not to accept from other connections on the LAN). I guess it > > > > also depends, how much you trust systems within your LAN or otherwise > > > > > > If you don't open the default MSA - means without authentication > > > enforcement -, then I wouldn't see the problem you see. > > > > Okay, let's put it this way. For users such as myself, who uses *nix and > > is sure that there are _no_ malware that affects 99% of the non > > *nix/*bsd systems, then usage of the MSA w/o any milters is useful. > > Please explain me in which way you see here a difference to using the > MTA. You refer to the things Leonard Isham quoted here in this thread? Well.. Here's assuming that the MSA is ran w/o any milters, only running via localhost/ loopback/only for auth'ed (*nix clients?). This is _only_ for to save a few cpu cycles/load. > > If however, the original poster only wanted to open up a MTA/MSA for his > > user that has port 25 blocked by the ISP, I see no reason in just > > running another MTA in another port for that user. (but frankly, all > > that trouble for the 1 user? hehe) Better yet, port-forward the default > > port 25 to another server running a MTA on say port 2525. That way, > > there's only 1 listening MTA. > > You need to run the MTA on port 25 if you want to receive mail by > unknown users / other servers. There may be scenarios where users with a > "private" mail server on a dial-in line don't need to receive mail by > other servers. Ok, those could close the MTA. Unless they, like me, run fetchmail to feed the mails to the MTA for the milters to work
