On Sat, May 15, 2004 at 02:42:21PM +0300, Micha Silver wrote: > Gavin: > Why would your LAN users ever need to send SMTP to anywhere other > than your MTA? Mostly as a convenience. We have dozens of LAN machines with an assortment of SMTP server settings. We also have some notebooks that roam between different sites, and I deemed it more appropriate to force everyone to use the local MTA than to have to manually reconfigure everything. > With the above rules aren't you allowing an 1nside (I > like that 0 1 idea!) computer, infected with a worm to propagate the > virus? Yes and no. Yes by allowing people to theoretically connect to any external MTA, the virus can propogate, but this is weighed against the monitoring I have in place so that the number of mails processed and load average on the MTA machine will spike up, and this allows me to quickly identify the offending machine and firewall it out completely whilst the virus is neutralised.. Thinking about it, I could simply firewall things more so that only "our" MTAs are permitted... hmm I might do that actually - thanks for the train of thought. I'm glad you like the 0utside/1nside thing... it even holds (to a lesser extent) when you have eth2 configured as the 'DM2' interface :) Cheers, Gavin.
