[CentOS] Kind of OT: internal imap server

Fri Aug 25 18:01:04 UTC 2006
chrism at imntv.com <chrism at imntv.com>

Andy Green wrote:
> Les Mikesell wrote:
>
>>> If you are handling relatively low volumes of mail, say the low tens 
>>> of thousands a day, and "mail guy" is not a shout you respond to, 
>>> then I strongly recommend not becoming a white-coated acolyte to 
>>> these and to make the smaller brain-investment needed to get Postfix 
>>> working great.
>>
>> Unfortunately the amount of real mail you intend to handle doesn't
>> relate much to what can happen when you plug into the internet.
>
> Hm well I run my own MX that is "on the Internet" and have done for a 
> couple of years or more, and I do it with Postfix on a residential 
> cable modem.  I have never had these spamfloods, Every day my daily 
> logs for this and other machines show one or more attempts to relay 
> which fail during SMTP time, so they go somewhere else.  Often the 
> recipient on the relaying attempt is undeliverable, they're just 
> interested if you'll take it.  I guess if you take their probes, then 
> you get the Zombie army hammering at the door.
>
> If you set your MTA (whatever it is) up with
>
>  - reject unknown usernames (much virus mail and a fair amount of 
> spam: gone)
>
>  - reduce the stock usernames in /etc/aliases, keep the RFC ones
>
>  - greylist one way or another (10 mins seems to work fine)
>
>  - reject non-FQDN HELO
>
>  - optionally reject "unknown" HELOs, ie, alleged mailservers that 
> lack reverse DNS
>
> you will knock out the vast bulk of your enemies before you spend any 
> real CPU or bandwidth on them.  So far I did not need to look at the 
> next step, doing a fake DNS lookup on one of the realtime blackhole 
> lists.
>
> Because all of these operate at SMTP transaction time the problems you 
> point out don't result in dodgy bounces that are sent to the alleged 
> From guy.  Anything that can't be talked out of sending dodgy bounces 
> to  the alleged From guy would indeed be evil.

I use similar tactics on my postfix setups and have not had any DoS or 
other successful attacks against any of the servers under my care in the 
last 8 years or so.  And they're all dangling out on the Internet with a 
big bullseye painted on them.  So I think the risk is manageable and not 
terribly relevant for me.   I've got a few servers that are rather busy 
and have had servers in the past that were handling a few tens of 
thousands of users. 

Understanding and managing risks associated with being plugged in to the 
Internet is not a MTA-specific problem.  But I daresay that some MTA's 
are a bit more difficult to understand than others.  ;-)

Cheers,