On Sat, 3 Apr 2010, Henrik K wrote:
On Fri, Apr 02, 2010 at 01:45:57PM -0800, Royce Williams wrote:
What is the optimal configuration (local.cf or other) for an ISP's
MSAs to prevent unauthenticated dynamic-IP customers from triggering
dynamic tests, but still benefiting from general filtering?
I was hoping for a magical 'mua_networks' option, which let me
enumerate the IP space that my users submit from, and automatically
exempt them from DOS_OE_TO_MX, etc., but I haven't been able to find
anything like that.
All dynamic rules look at external relays. So if you have SA on the relay
that accepts mail from dynamic space, you need to include all that in
internal_networks and disable ALL_TRUSTED since it would always hit. I think
only other option is to manually disable all affected rules, which would be
hard to maintain..
Or add a custom rule that checks the last external relay for the IP spaces
you trust and add some negative points.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
10 days until Thomas Jefferson's 267th Birthday
