On 2003-08-25 18:51:36 +0000, Bart Schaefer wrote:
On Aug 25, 11:58am, Alan DeKok wrote:
} Subject: Re: [Asrg] MXs Used As Authentication - Why RMX?
}
} It's been suggested that outgoing SMTP servers should be in an
} entirely different address range than incoming servers, and that those
} outgoing servers shouldn't accept ANY traffic other than what they
} originate. No SMTP, no ICMP, nothing at all.
ACK to SMTP. No to ICMP. Apart from those ICMP packages which need to
get through for proper operation (destination unreachable, fragmentation
needed, etc.) icmp echo should imho never be blocked for an active
computer on the internet. It doesn't add any security and just adds a
lot of hassle if you have to track down any problems.
Servers configured that way may find that they are not able to send
mail to aol.com addresses. AOL now periodically tests IPs from which it
recieves inbound mail to determine whether they are open relays. My
experience has been that if those IPs simply refuse inbound SMTP, they
get put on AOL's blacklist; to pass AOL's open relay test, the server
must both accept an SMTP connection, and then refuse to transmit.
Sounds like a stupid policy to me. If the server doesn't even accept
SMTP, how can it be an open relay? (of course it is possible that the
server only blocks AOL's IP-ranges and is open to everybody else - but
that would be a conscious policy-decision and not just an
open-by-default relay, and a similar policy can be implemented with
e.g., sendmail's access map at the SMTP level)
I see no reason why anybody outside of our firewall should be able to
connect to our outgoing server (except via an encrypted, authenticated
connection).
hp
--
_ | Peter J. Holzer | Humor ohne Emoticons ist trockener Humor.
|_|_) | Sysadmin WSR |
| | | hjp(_at_)hjp(_dot_)at | -- Toni Grass in aip
__/ | http://www.hjp.at/ |
pgpFh3Ggqked6.pgp
Description: PGP signature