On Fri, 04 Dec 2009, Sthu Deus wrote: > Personally, I do not trust the local network I have the deal with - much > more than the Internet... So, for me it is much better to protect the > server - to let it working as it should providing its services rather than > try to explain the people the primitive rules on IT-security - in other > words, let it be up to them, separately.
Sure. However, assuming it is also an outbound MTA, you should be aware that a AV-less, content-filter-less MTA will forward actively harmful data to the world at large, and thus it will be blacklisted in no time flat. And it will be a well deserved blacklisting, obviously. Your "safer server" _would_ be a danger to everyone else in that situation. Here at work, we go through great lengths to make sure no virus or spam can get through the MTAs, either inbound _or_ outbound. Anything we wouldn't let get inside, must NOT go outside either. There is more to it too: we have strict rate limiting and controls (I love postfix) to catch any internal box which is doing funny stuff. Our clients and servers are compelled to behave where technically possible. We can't always stop spam or phish, but we _can_ detect and stop a spam-run, and DoS attacks from the inside or outside do _not_ get through (while a massive one can bring down the MTA cluster, it will die there and not get past it). Every box (_all_ servers and _all_ clients) are forced to go through the MTA clusters for port 25 access. All our firewalls (and not just the border firewalls) block any sort of port 25 traffic which doesn't have one of the endpoints in the MTA clusters. That's called good neigbour policy, the internet would be a much better place if everyone did that (filter out crap that is trying to leave their networks). -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
