On Mon, Aug 04, 2003 at 08:44:14AM +0530, Suresh Ramasubramanian wrote:
> >The single hostfile is here:
> >http://marc.merlins.org/linux/exim/files/exim4-conf/exim4.conf
>
> much better than the huge mass of files that debian puts in (makes it
> look uncomfortably like qmail - lots of files scattered all over a
> directory) :)
This is a some love it some hate it kind of thing
I know it's easier to look at one file, but if you admin multiple exim
systems, the decentralized file scheme is much better to keep the same base
config on all the systems
> now just one comment -
>
> >RFC1918=10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16
> ># To or from IPs we don't want to handle mail for (localhost/APIPA/test
> >block)
> ># Add RFC1918 for an internet only connected system
> >BOGUSIPS=127.0.0.1/8 : 169.254.0.0/16 : 192.0.2.0/24 : RFC1918
> >#BOGUSIPS=127.0.0.1/8 : 169.254.0.0/16 : 192.0.2.0/24
>
> There's a much longer list actually. You might want to use Rob Thomas'
> bogons.cymru.com, originally available as a bgp feed - but also as a
> dnsbl - http://www.cymru.com/Bogons/#dns ...
True, but due to how it's used, it needs to be a list, not an RBL.
That said, this can be added to the config file as an ACL for rejecting
connections.
> In fact, you should be filtering such IPs at your border routers itself
> - no way in hell you are going to see packets from these (RFC1918 IPs,
> other bogons) inbound to your MX from outside your network.
Right.
> Also - do source IP filtering in exim as well (typically on the HELO
> string). If someone from outside your network connects direct to your
> MX and HELOs as one of your IPs, your hostname, or as one of the domains
> you host, then just drop the connection.
Not a bad idea.
I take contributions :-)
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key