My network security is handled elsewhere. I too believe in layered
security, but my desire to use the right tool for the job is much
stronger. My mail server is busy serving mail; my network security is
handled by equipment built and optimized for that job.
It's not like it costs anything extra.... :)
Well...that's the attitude that got us operating systems that need a
gigabyte of memory just to boot, and processors clocked at 3GHz that
give me the same useful performance as my 4MHz Z80 twenty years ago.
;) Nothing is free.
I can see both sides of this. I have an old FreeBSD machine without
filtering in the kernel where I've been forced to create null routes for
hosts that insisted on hammering the machine. My first firewall was
Mischler's IPRoute for DOS on a 386-16 with a floppy drive. I know that
any machine nowadays is plenty powerful enough to do basic filtering
with no adverse affects. We have NICs that can handle Gigabit speeds
handling data across a 1.5Megabit T1.
My suggestion is to just use the simplest solution for your situation.
If you don't have packet filtering in the cable, use a null route. If
you have it, use it. If you're completely adverse to doing anything
other than mail on the mail server, give Apple a couple days to supply
the patches and run with that. Mike said the patches were against 1.1,
so it's not like anyone would absolutely need to use the beta 1.2 to get
these features. Even better if he can break the whole of the changes
into smaller patches.
Rick
