[CentOS] Kind of OT: internal imap server

Fri Aug 25 17:52:13 UTC 2006
Andy Green <andy at warmcat.com>

Les Mikesell wrote:

>> If you are handling relatively low volumes of mail, say the low tens of 
>> thousands a day, and "mail guy" is not a shout you respond to, then I 
>> strongly recommend not becoming a white-coated acolyte to these and to 
>> make the smaller brain-investment needed to get Postfix working great.
> 
> Unfortunately the amount of real mail you intend to handle doesn't
> relate much to what can happen when you plug into the internet.

Hm well I run my own MX that is "on the Internet" and have done for a 
couple of years or more, and I do it with Postfix on a residential cable 
modem.  I have never had these spamfloods, Every day my daily logs for 
this and other machines show one or more attempts to relay which fail 
during SMTP time, so they go somewhere else.  Often the recipient on the 
relaying attempt is undeliverable, they're just interested if you'll 
take it.  I guess if you take their probes, then you get the Zombie army 
hammering at the door.

If you set your MTA (whatever it is) up with

  - reject unknown usernames (much virus mail and a fair amount of spam: 
gone)

  - reduce the stock usernames in /etc/aliases, keep the RFC ones

  - greylist one way or another (10 mins seems to work fine)

  - reject non-FQDN HELO

  - optionally reject "unknown" HELOs, ie, alleged mailservers that lack 
reverse DNS

you will knock out the vast bulk of your enemies before you spend any 
real CPU or bandwidth on them.  So far I did not need to look at the 
next step, doing a fake DNS lookup on one of the realtime blackhole lists.

Because all of these operate at SMTP transaction time the problems you 
point out don't result in dodgy bounces that are sent to the alleged 
 From guy.  Anything that can't be talked out of sending dodgy bounces 
to  the alleged From guy would indeed be evil.

> That's not the worst part of the license. The real problem is that
> qmail as written has several logical flaws, the above-mentioned
> being the most obvious, and the license states that no one is
> allowed to distribute modified versions so it can't be fixed
> without completely replacing components.

he he what a nonsense license.  It's up there with Creative Commons 
Non-commercial stopping radio stations playing liberally licensed music 
as needing a shooting yourself in the foot award.

-Andy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20060825/a0dc0384/attachment-0005.bin>