SGI: Security

So Postfix and Cyrus have been running a while and I'm watching the logs ... and I'm relaying some mail ! Rotten bastards. Not a lot but still, this is intolerable. I'm also getting mail to a local host that hasn't been turned on in months and never had a publically-visible host name. Originally I set Postfix up to allow relaying from addresses in the local network (had another machine that was doing its own smtp at one time) but this appears to maybe be a mistake ? From looking at the log it appears that there are some unexplained "max connection rate" hits and also some strange addresses ( mailto:[email protected] , for example) trying to get through.

anyway, if you are running Postfix I would suggest not allowing relaying from your local network addresses. So far that seems to have stopped the problem. Any other suggestions willingly accepted. The logs from Postfix are not as good as Weasel logs. Sure is faster tho.

Bastard spammers

hamei wrote: anyway, if you are running Postfix I would suggest not allowing relaying from your local network addresses.

You can control Postfix's idea of what your local network is, and, unless you specify addresses that aren't really on your network, it's bulletproof in my experience. Postfix (since pretty early versions) rejects relaying by default. It's posible to override this with configuration, of course.

If you continue to have trouble, join the Postfix mailing list at http://www.postfix.org . Read the membership welcome notice carefully before posting.

-Shel

shel wrote: You can control Postfix's idea of what your local network is, and, unless you specify addresses that aren't really on your network, it's bulletproof in my experience. Postfix (since pretty early versions) rejects relaying by default. It's posible to override this with configuration, of course.

The problem was trying to accomodate users who are not on the local network and who do not have static IP's .... pop-before-smtp is really what I needed and now that I've kinda given up on the hokey workarounds I was using, it seems like that is actually an option via Perl. Why it isn't part of the Postfix base package is kind of a mystery to me, tho. Seems like almost everyone is travelling all over with a laptop these days. Postfix is definitely fast. Mikey likes that part !

Why not simply smtp with authentication?

hamei wrote: The problem was trying to accomodate users who are not on the local network and who do not have static IP's .... pop-before-smtp is really what I needed and now that I've kinda given up on the hokey workarounds I was using, it seems like that is actually an option via Perl. Why it isn't part of the Postfix base package is kind of a mystery to me, tho. Seems like almost everyone is travelling all over with a laptop these days. Postfix is definitely fast. Mikey likes that part !

Since Postfix doesn't do POP at all, Postfix's including a hack like pop-before-smtp would be pretty tough.

The real thing is to use a supported authentication method. However, they seem to be moderately difficult to implement, since they are a compile-time option with Postfix, etc. Once implemented, both on the client and the server, however, they are user-transparent.

Because I have a relatively small number of traveling users, and they are tech-savvy, I use a home-brew combination of split-horizon DNS and SSH tunnelling to provide remote access. The advantage to this method is that I can allow out-of-LAN access to a number of otherwise local services. The disadvantage is that the user has to affirmatively put his machine into "traveling" mode when he leaves the LAN, and put it back into "local" mode when he returns.

-Shel