Hey, folks, this is what I'm working on right now ... www.maildroid.org <http://www.maildroid.org> I'm releasing an ALPHA CD/.iso on or around May 19th. You'll be able to download it and play around with it. I'm running it on my MTA right now, but it is FAR from a final solution. Any Ideas/feedback will be helpful. I'll post a note on the list when the .iso is actually up for downloading. If anyone wants a "pre-release snapshot, give me a bell.
cheers geoffw Smith wrote: > >Wow! Such stupid arguments and remarks with statements > >such as "I could be wrong on this". A couple of security > >alets with postfix in the past few weeks? Make sure you > >know wtf you're talking about before you put your foot > >in your mouth. > > It was late at night, I wrote the email off the top of my head, and I > wanted to go to bed. So I added the disclaimer to avoid comments like > this, because I realize I could be making an inaccurate statement. > > But since you provoked me.... > > @RISK: The Consensus Security Vulnerability Alert > April 14, 2005 > Vol. 4. Week 15 > > 05.15.39 - GLD Postfix Greylisting Daemon Buffer Overflow > 05.15.40 - GLD Postfix Greylisting Daemon Format String > > I'm not familiar with postfix so the above may not be refering to the > actual Postfix MTA. But it still goes with the point I made that 3rd > party software can expose you. By the way, I'm not anti-3rd-party > software, I'm just taking the approach of "KISS, Keep It Simple, > Stupid." Thus, don't add software, if you really don't need to. > > >You talk about 0-day with clamd/spamassasin? You fail to > >neglect the problems with the AV solutions themselves > >(See the latest CanSecWest security vulns in "many" AV > >solutions..including root in TM solutions). > > Yeah, but my AV solution consist of workstations and a server which > are behind my firewall, not on my MTA which I must expose if I want to > receive any email. Before you reply with, "DMZ", make sure you state > that each server you expose to the outside world is on it's own DMZ > because I'll probably agree with you then. If not...don't even bother. > > >What "enterprise" runs OpenBSD sendmail as it's main MTA. > > Isn't sendmail the oldest and most popular MTA out there? Didn't > universities and big time corporations with thousands of users run it > when there was nothing else...and still do? I'm no authority, so I > don't know. > > >Wow! You call yourself a network administrator and talk about MTA > being r00ted by clamd/spamassassin? lol > > Is it not possible? I'm interested to hear how they can't ever be > exploited. Enlighten me. > > >PS - Maybe someone can teach you mail 101. It's never a good idea to > have a CNAME to be the MX. > > >confuciun.com. 497 IN MX 10 mail.confuciun.com. > >mail.confuciun.com. 600 IN CNAME confuciun.com. > > Hey, honestly, thank you for enlightening me. I read about this > somewhere too. I goofed or overlooked it but it will be corrected. > > >A good admin will keep it up to date regardless. Keeping one (or a > handful) > >of boxes up to date yourself is a lot simpler than relying on > individual > >clients, especially if you're an ISP and don't have control over them. > > Agreed, but with all the security holes out there, can you afford to > neglect the clients in favor of keeping a handful of boxes > up-to-date? No. As for an ISP, that's a different situation. A > different approach would be needed, i.e. filtering spam and viruses is > a must on the MTA. > > >spamd is used to take redirected traffic on black/greylists, > >it doesn't filter at the application layer. You need something else > for this. > > I wish I knew a good application layer filter that was open source. > > >Here are my $.02, YMMV. > >1) Security should always be layered (belt & suspenders / whatever). > >2) If the site is large enough to warrant the expense, I don't run > >anything on the firewall other than NAT, packet filtering, and IPSec. > > Amen, preach on brother. > > >3) HTTP Proxies (both ways), smtp proxies, web servers, etc., all go > >into separate DMZs. VLANs and Cisco switches are your friends. > > Doesn't this add too much complexity to the setup? I see the logic, > but wouldn't all > that require a full-time administrator just to properly > manage/maintain everything mentioned in #3? > > >4) I'm not a big fan of Symantec as a corporation, but Symantec > Antivirus > >Corporate Edition is pretty easy to lock down and make reasonably > user-proof > >at a site. Remote Admin is not bad at all (you'll need to remote-control > >a local server). My main gripe - they really want you to use a Windows > >box as the local update & quarantine server. It's my understanding that > >you can do some clever stuff with ftp, but I've not taken the time to > figure it out. > > For everything you said here, you took the words out my mouth. And > when I said > what I said in the previous posts, this is the perspective I'm talking > from. > The assumption is the server updates the clients and the users can't > modify it.
