On 2003-08-25 18:51:36 +0000, Bart Schaefer wrote: > On Aug 25, 11:58am, Alan DeKok wrote: > } Subject: Re: [Asrg] MXs Used As Authentication - Why RMX? > } > } It's been suggested that outgoing SMTP servers should be in an > } entirely different address range than incoming servers, and that those > } outgoing servers shouldn't accept ANY traffic other than what they > } originate. No SMTP, no ICMP, nothing at all. ACK to SMTP. No to ICMP. Apart from those ICMP packages which need to get through for proper operation (destination unreachable, fragmentation needed, etc.) icmp echo should imho never be blocked for an active computer on the internet. It doesn't add any security and just adds a lot of hassle if you have to track down any problems. > Servers configured that way may find that they are not able to send > mail to aol.com addresses. AOL now periodically tests IPs from which it > recieves inbound mail to determine whether they are open relays. My > experience has been that if those IPs simply refuse inbound SMTP, they > get put on AOL's blacklist; to pass AOL's open relay test, the server > must both accept an SMTP connection, and then refuse to transmit. Sounds like a stupid policy to me. If the server doesn't even accept SMTP, how can it be an open relay? (of course it is possible that the server only blocks AOL's IP-ranges and is open to everybody else - but that would be a conscious policy-decision and not just an open-by-default relay, and a similar policy can be implemented with e.g., sendmail's access map at the SMTP level) I see no reason why anybody outside of our firewall should be able to connect to our outgoing server (except via an encrypted, authenticated connection). hp -- _ | Peter J. Holzer | Humor ohne Emoticons ist trockener Humor. |_|_) | Sysadmin WSR | | | | hjp@hjp.at | -- Toni Grass in aip __/ | http://www.hjp.at/ |
Attachment:
pgp00092.pgp
Description: PGP signature