[CentOS] Replacing my Scalix mail server

Robert Moskowitz rgm at htt-consult.com
Wed Apr 1 02:48:12 UTC 2009


Les Mikesell wrote:
> Robert Moskowitz wrote:
>   
>> I have seen attacks and mitigations that often never make it out to the 
>> public, or make it out after we have worked with the vendors for weeks 
>> to get patches before the S* hits the fans. I am particularly paranoid 
>> about what may be exposed on a gateway/firewall while waiting for that 
>> all so important patch.
>>
>> I don't like SME's laid back attitude to getting a 1st install patched, 
>> for example. One 1st install, all services on the server MUST be blocked 
>> until current updates are installed and configured, and only then opened.
>>
>> So, no, your explaination does not make me feel more comfortable. But 
>> then as indicated, I am a hard one to make comfortable....
>>     
>
> I could have missed something, but I don't recall any services being 
> open on the external nic until you configure them.  Are any?  If you 
> have a 1-nic setup they probably assume that something else is handling 
> the firewalling.
>   

Let's talk paranoia...

I see that kernel 2.6.9-78.0.8 was in the install and yum updated that 
to 26.9.-78.0.13, what security patches were covered between those two 
releases? Perhaps something in NetFilter? Of course a BIND update. I 
have not done a 2 NIC install, and DNS is set up by default, so port 53 
could be open.

But you are right, perhaps nothing is open until that first update. One 
would hope, but then I would have to test it! :)

And I need IPv6 so it is a mute point for me.

>   
>>> That's not particularly relevant - if you access from more than one 
>>> location you might want to set up imaps access so all the messages are 
>>> stored on the server and available through the hoard web interface if 
>>> you aren't at you usual client(s).
>>>       
>> I was at the IETF when IMAP was brought out of CMU and standardized, I 
>> know the beast all too well.
>>     
>
> Yeah, on R4 and you still can't count on a good notification mechanism, 
> but it is usable.
:)

I was also the first chair for iCal, so I will take the blame for that 
one too ;)'

I did get out of that job as fast as I could find someone qualified to 
lead those squabbling vendors.




More information about the CentOS mailing list