Jerry Stuckle <jstuc...@attglobal.net> writes: > On 10/6/2014 7:30 PM, lee wrote: >> Jerry Stuckle <jstuc...@attglobal.net> writes: >> >>> For instance, MUAs typically connect on port 587 (at least that is the >>> recommendation), while MTAs always use port 25. Additionally, MUAs >>> should always be validated with signon/password, to prevent the server >>> from becoming an open relay. >> >> 1: You would have to require auth on port 25 just in case a MUA >> connects on that port. Since you could reasonably do this >> exclusively for connections from authorised clients (i. e. clients >> on your LAN), it doesn't seem very useful (unless you need to be >> afraid of misbehaving clients on your own LAN). >> > > No, you don't. There is nothing in the RFC's which require port 25 to > be open to MUA's. OTOH, there is an RFC 2476 reserves port 587 > specifically for such submission.
How do you distinguish a MUA from an MTA at that point? >> 2: When nothing but authorised clients (like non-misbehaving MUAs on the >> LAN) can connect to port 587, how does your MTA become an open relay >> by not requiring authentication on port 587? >> > > Are you sure only authorized clients can connect? How do you know your > local network is secure? For instance, does your router have a software > bug which can allow someone to get in? How about your WiFi access > point? Are you sure those are secure? Are you sure the authentication your MTA requires is secure? > Spammers know better than almost anyone what is secure and what isn't. In case someone breaks in, I have more to worry about than emails being sent. And if someone does break in, what prevents them from disabling the authentication the MUA requires? > And large companies and governments spend millions of dollars a year to > secure their systems. They are constantly monitoring their logs and > running tests, looking for holes. They use commercial gear which is > quite expensive. They have sysadmins with years of experience in both > administration and security. Yet they still manage to get hacked. Their networks tend to be a bit more endangered than a small LAN at home is. > Are you saying you and your equipment are better than them? You only need to be good enough. > I know a lot about security (it comes with living in the paranoid > security capital of the world). I've spent a lot of time securing my > network with multiple levels of security. But I'm not naive enough to > believe my network can't be hacked. That's one of the problems with security. It takes a lot of time to learn, a lot of time to implement and then a lot of time to use because you need to enter another password all the time. And you don't even believe it's worthwhile yourself. >> 3: How do you deal with messages not generated by MUAs when you have >> blocked your MTA against the LAN through requiring auth? >> >> > > I don't require authorization on port 25. But I also don't allow it. > All authorized users must go through port 587. Unauthorized users can > only go through port 25, and have restricted rights. So your systems aren't functioning because messages not generated by MUAs cannot be delivered? -- Hallowed are the Debians! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ppe2m5un....@yun.yagibdah.de
