Robert Moskowitz wrote:
I have seen attacks and mitigations that often never make it out to the public, or make it out after we have worked with the vendors for weeks to get patches before the S* hits the fans. I am particularly paranoid about what may be exposed on a gateway/firewall while waiting for that all so important patch.
I don't like SME's laid back attitude to getting a 1st install patched, for example. One 1st install, all services on the server MUST be blocked until current updates are installed and configured, and only then opened.
So, no, your explaination does not make me feel more comfortable. But then as indicated, I am a hard one to make comfortable....
I could have missed something, but I don't recall any services being open on the external nic until you configure them. Are any? If you have a 1-nic setup they probably assume that something else is handling the firewalling.
That's not particularly relevant - if you access from more than one location you might want to set up imaps access so all the messages are stored on the server and available through the hoard web interface if you aren't at you usual client(s).
I was at the IETF when IMAP was brought out of CMU and standardized, I know the beast all too well.
Yeah, on R4 and you still can't count on a good notification mechanism, but it is usable.