Andy Green wrote:
Les Mikesell wrote:
If you are handling relatively low volumes of mail, say the low tens
of thousands a day, and "mail guy" is not a shout you respond to,
then I strongly recommend not becoming a white-coated acolyte to
these and to make the smaller brain-investment needed to get Postfix
working great.
Unfortunately the amount of real mail you intend to handle doesn't
relate much to what can happen when you plug into the internet.
Hm well I run my own MX that is "on the Internet" and have done for a
couple of years or more, and I do it with Postfix on a residential
cable modem. I have never had these spamfloods, Every day my daily
logs for this and other machines show one or more attempts to relay
which fail during SMTP time, so they go somewhere else. Often the
recipient on the relaying attempt is undeliverable, they're just
interested if you'll take it. I guess if you take their probes, then
you get the Zombie army hammering at the door.
If you set your MTA (whatever it is) up with
- reject unknown usernames (much virus mail and a fair amount of
spam: gone)
- reduce the stock usernames in /etc/aliases, keep the RFC ones
- greylist one way or another (10 mins seems to work fine)
- reject non-FQDN HELO
- optionally reject "unknown" HELOs, ie, alleged mailservers that
lack reverse DNS
you will knock out the vast bulk of your enemies before you spend any
real CPU or bandwidth on them. So far I did not need to look at the
next step, doing a fake DNS lookup on one of the realtime blackhole
lists.
Because all of these operate at SMTP transaction time the problems you
point out don't result in dodgy bounces that are sent to the alleged
From guy. Anything that can't be talked out of sending dodgy bounces
to the alleged From guy would indeed be evil.
I use similar tactics on my postfix setups and have not had any DoS or
other successful attacks against any of the servers under my care in the
last 8 years or so. And they're all dangling out on the Internet with a
big bullseye painted on them. So I think the risk is manageable and not
terribly relevant for me. I've got a few servers that are rather busy
and have had servers in the past that were handling a few tens of
thousands of users.
Understanding and managing risks associated with being plugged in to the
Internet is not a MTA-specific problem. But I daresay that some MTA's
are a bit more difficult to understand than others. ;-)
Cheers,
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
