On 30 Jan 2018, at 6:07 (-0500), jin&hitman&Barracuda wrote:
Yes I saw connections coming
from 172.27.203.20 and it was me.
I believe this setup is not fit mail servers.
Absolutely true. 3 widespread ISP tactics that make a network unfit for
an Internet-facing MTA:
1. DNS hijacking
2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP
3. Source NAT for inbound traffic
All 3 are often presented as part of "network security" packages but
they are each lethal for a mail server.
Becouse I prefer to use
fail2ban for brute force attacks and fail2ban depends source IP
address.
In this setup I can't see source IP. Also I'll use iptables as a
permanent
filter for some IPv4 blocks (like china).
Can anyone tell me that this setup has any benefit ?
No.
Inbound source NAT is the most widespread network tactic that I know of
which has no discernible benefit to the downstream user directly or
indirectly. As far as I can tell, it is entirely a side effect of
network gear manufacturers and network operators being lazy in
implementation.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
