[CentOS] Kind of OT: internal imap server
chrism at imntv.com
chrism at imntv.com
Fri Aug 25 18:01:04 UTC 2006
Andy Green wrote:
> Les Mikesell wrote:
>
>>> If you are handling relatively low volumes of mail, say the low tens
>>> of thousands a day, and "mail guy" is not a shout you respond to,
>>> then I strongly recommend not becoming a white-coated acolyte to
>>> these and to make the smaller brain-investment needed to get Postfix
>>> working great.
>>
>> Unfortunately the amount of real mail you intend to handle doesn't
>> relate much to what can happen when you plug into the internet.
>
> Hm well I run my own MX that is "on the Internet" and have done for a
> couple of years or more, and I do it with Postfix on a residential
> cable modem. I have never had these spamfloods, Every day my daily
> logs for this and other machines show one or more attempts to relay
> which fail during SMTP time, so they go somewhere else. Often the
> recipient on the relaying attempt is undeliverable, they're just
> interested if you'll take it. I guess if you take their probes, then
> you get the Zombie army hammering at the door.
>
> If you set your MTA (whatever it is) up with
>
> - reject unknown usernames (much virus mail and a fair amount of
> spam: gone)
>
> - reduce the stock usernames in /etc/aliases, keep the RFC ones
>
> - greylist one way or another (10 mins seems to work fine)
>
> - reject non-FQDN HELO
>
> - optionally reject "unknown" HELOs, ie, alleged mailservers that
> lack reverse DNS
>
> you will knock out the vast bulk of your enemies before you spend any
> real CPU or bandwidth on them. So far I did not need to look at the
> next step, doing a fake DNS lookup on one of the realtime blackhole
> lists.
>
> Because all of these operate at SMTP transaction time the problems you
> point out don't result in dodgy bounces that are sent to the alleged
> From guy. Anything that can't be talked out of sending dodgy bounces
> to the alleged From guy would indeed be evil.
I use similar tactics on my postfix setups and have not had any DoS or
other successful attacks against any of the servers under my care in the
last 8 years or so. And they're all dangling out on the Internet with a
big bullseye painted on them. So I think the risk is manageable and not
terribly relevant for me. I've got a few servers that are rather busy
and have had servers in the past that were handling a few tens of
thousands of users.
Understanding and managing risks associated with being plugged in to the
Internet is not a MTA-specific problem. But I daresay that some MTA's
are a bit more difficult to understand than others. ;-)
Cheers,
More information about the CentOS
mailing list