Andy Green wrote: > Les Mikesell wrote: > >>> If you are handling relatively low volumes of mail, say the low tens >>> of thousands a day, and "mail guy" is not a shout you respond to, >>> then I strongly recommend not becoming a white-coated acolyte to >>> these and to make the smaller brain-investment needed to get Postfix >>> working great. >> >> Unfortunately the amount of real mail you intend to handle doesn't >> relate much to what can happen when you plug into the internet. > > Hm well I run my own MX that is "on the Internet" and have done for a > couple of years or more, and I do it with Postfix on a residential > cable modem. I have never had these spamfloods, Every day my daily > logs for this and other machines show one or more attempts to relay > which fail during SMTP time, so they go somewhere else. Often the > recipient on the relaying attempt is undeliverable, they're just > interested if you'll take it. I guess if you take their probes, then > you get the Zombie army hammering at the door. > > If you set your MTA (whatever it is) up with > > - reject unknown usernames (much virus mail and a fair amount of > spam: gone) > > - reduce the stock usernames in /etc/aliases, keep the RFC ones > > - greylist one way or another (10 mins seems to work fine) > > - reject non-FQDN HELO > > - optionally reject "unknown" HELOs, ie, alleged mailservers that > lack reverse DNS > > you will knock out the vast bulk of your enemies before you spend any > real CPU or bandwidth on them. So far I did not need to look at the > next step, doing a fake DNS lookup on one of the realtime blackhole > lists. > > Because all of these operate at SMTP transaction time the problems you > point out don't result in dodgy bounces that are sent to the alleged > From guy. Anything that can't be talked out of sending dodgy bounces > to the alleged From guy would indeed be evil. I use similar tactics on my postfix setups and have not had any DoS or other successful attacks against any of the servers under my care in the last 8 years or so. And they're all dangling out on the Internet with a big bullseye painted on them. So I think the risk is manageable and not terribly relevant for me. I've got a few servers that are rather busy and have had servers in the past that were handling a few tens of thousands of users. Understanding and managing risks associated with being plugged in to the Internet is not a MTA-specific problem. But I daresay that some MTA's are a bit more difficult to understand than others. ;-) Cheers,