On 03/04/2015 03:51 PM, Oliver Welter wrote:
>>>>>> I would like to reiterate Reindl Harald's point above, since
>>>>>> subsequent
>>>>>> discussion has gotten away from it. If Dovecot had DNS RBL support
>>>>>> similar to Postfix, I think quite a few people would use it, and
>>>>>> thereby
>>>>>> defeat the scanners far more effectively than any other method. It is
>>>>>> good that other people are suggesting things that will work today,
>>>>>> but
>>>>>> in terms of what new feature would be the best solution, I can't
>>>>>> think
>>>>>> of one better than a DNS RBL.
>>>>>
>>>>> Please add this support to iptables instead of Dovecot. It's a
>>>>> waste of
>>>>> effort to code it into every application that listens on the network.
>>>>
>>>> <head explodes>
>>>>
>>>> Would you care to integrate it into IOS on my Cisco as well?
>>>>
>>>> There are things connected to the Internet that aren't PCs running
>>>> Linux, you know. It may be hard to accept, but that's the way it is.
>>>>
>>> I assume your dovecot runs on some kind of *nix
>>
>> Of course. I run it under Solaris.
>>
>>> so there should be some
>>> sort of netfilter available which you can put in front of your listening
>>> ports.
>>
>> There is. But I already have a firewall, running on bulletproof
>> hardware that doesn't depend on spinning disks. I don't want to add
>> ANOTHER firewall when I already have a perfectly good one. Besides, my
>> mail server is built for...serving mail. Not being a firewall.
>>
> Well, from an academic point of view, a network service that denies
> connection on the ip layer is also an ip firewall.
In a real-world datacenter at 3AM, academic points of view seldom, if
ever, come into play.
-Dave
--
Dave McGuire, AK4HZ/3
New Kensington, PA
