>Wow! Such stupid arguments and remarks with statements >such as "I could be wrong on this". A couple of security >alets with postfix in the past few weeks? Make sure you >know wtf you're talking about before you put your foot >in your mouth.
It was late at night, I wrote the email off the top of my head, and I wanted to go to bed. So I added the disclaimer to avoid comments like this, because I realize I could be making an inaccurate statement.
But since you provoked me....
@RISK: The Consensus Security Vulnerability Alert April 14, 2005 Vol. 4. Week 15
05.15.39 - GLD Postfix Greylisting Daemon Buffer Overflow 05.15.40 - GLD Postfix Greylisting Daemon Format String
I'm not familiar with postfix so the above may not be refering to the actual Postfix MTA. But it still goes with the point I made that 3rd party software can expose you. By the way, I'm not anti-3rd-party software, I'm just taking the approach of "KISS, Keep It Simple, Stupid." Thus, don't add software, if you really don't need to.
>You talk about 0-day with clamd/spamassasin? You fail to >neglect the problems with the AV solutions themselves >(See the latest CanSecWest security vulns in "many" AV >solutions..including root in TM solutions).
Yeah, but my AV solution consist of workstations and a server which are behind my firewall, not on my MTA which I must expose if I want to receive any email. Before you reply with, "DMZ", make sure you state that each server you expose to the outside world is on it's own DMZ because I'll probably agree with you then. If not...don't even bother.
>What "enterprise" runs OpenBSD sendmail as it's main MTA.
Isn't sendmail the oldest and most popular MTA out there? Didn't universities and big time corporations with thousands of users run it when there was nothing else...and still do? I'm no authority, so I don't know.
>Wow! You call yourself a network administrator and talk about MTA being r00ted by clamd/spamassassin? lol
Is it not possible? I'm interested to hear how they can't ever be exploited. Enlighten me.
>PS - Maybe someone can teach you mail 101. It's never a good idea to have a CNAME to be the MX.
>confuciun.com. 497 IN MX 10 mail.confuciun.com. >mail.confuciun.com. 600 IN CNAME confuciun.com.
Hey, honestly, thank you for enlightening me. I read about this somewhere too. I goofed or overlooked it but it will be corrected.
>A good admin will keep it up to date regardless. Keeping one (or a handful)
>of boxes up to date yourself is a lot simpler than relying on individual
>clients, especially if you're an ISP and don't have control over them.
Agreed, but with all the security holes out there, can you afford to neglect the clients in favor of keeping a handful of boxes up-to-date? No. As for an ISP, that's a different situation. A different approach would be needed, i.e. filtering spam and viruses is a must on the MTA.
>spamd is used to take redirected traffic on black/greylists,
>it doesn't filter at the application layer. You need something else for this.
I wish I knew a good application layer filter that was open source.
>Here are my $.02, YMMV. >1) Security should always be layered (belt & suspenders / whatever). >2) If the site is large enough to warrant the expense, I don't run >anything on the firewall other than NAT, packet filtering, and IPSec.
Amen, preach on brother.
>3) HTTP Proxies (both ways), smtp proxies, web servers, etc., all go >into separate DMZs. VLANs and Cisco switches are your friends.
Doesn't this add too much complexity to the setup? I see the logic, but wouldn't all
that require a full-time administrator just to properly manage/maintain everything mentioned in #3?
>4) I'm not a big fan of Symantec as a corporation, but Symantec Antivirus
>Corporate Edition is pretty easy to lock down and make reasonably user-proof
>at a site. Remote Admin is not bad at all (you'll need to remote-control
>a local server). My main gripe - they really want you to use a Windows
>box as the local update & quarantine server. It's my understanding that
>you can do some clever stuff with ftp, but I've not taken the time to figure it out.
For everything you said here, you took the words out my mouth. And when I said
what I said in the previous posts, this is the perspective I'm talking from.
The assumption is the server updates the clients and the users can't modify it.
