On Wed, Nov 16, 2005 at 07:40:54PM +0000, Jason Meers wrote [and I've fixed
his quoting]:
[>I wrote:]
[>> Jason wrote:]
>>> A new user doesn't *necessarily* need to know how to configure any of
>>> the following if they haven't got a working server to begin with:
>>> av_scanner
>>> mime decoding and content checking
>> I would say that one or other of these are virtually required on the
>> modern internet.
> I am not excluding them, but what use is an exim server configured for
> AV scanning that won't start becuase the user can't comprehend
> everything at once.
>
> Did your first ever attempt at building a mail server incorpoorate virus
> scanning and mime decoding or did you have to learn in small steps?
No, my first attempt at building a mailserver and even an exim mailserver
predates ILOVEYOU, and even many of the word macro viruses. At the time
of those, you had to actually open the attachment to do anything.
>> In postfix, you generally have to work out what special case Wietse
>> was thinking of for your situation, qmail is just fuelled on so much
>> crack, only one person in the world still uses smail, and, well, I'd
>> trust Exchange as far as I could lob the box it runs on off a high
>> cliff...
> If only somebody had written a beginners guide...
Erm, well, I didn't learn from posting to this list. I learnt by
understanding the concepts of RFC821 (this predates 2821, obviously)
and RFC1123 and RFC1425 (all of which have been basically merged into
2821). I then read the Bat Book (Sendmail) and wrote my sendmail config
from that.
When I switched to exim, I learnt from understanding the concepts in
sendmail, understanding mail delivery, and reading the exim specification
cover to cover. I then had an idea of what exim could do and how it could
do it (by this time, exim was well into v3). It took me a while to switch
to v4, but when I did, I did it by running convert4r4 on my by-now
completely written-from-scratch (and rather complex) config, and rereading
the version of the exim specification I was switching to, and getting some
idea of the differences. For more recent upgrades, I've not needed to ask
here, but I've merely looked at archives (I've been watching this list for
a while), and read the relevant bits of the spec to update my config.
> Think back, what if you were looking for help and somebody on the qmail
> list or postfix list told you that...
The qmail list is full of djb saying "well, that's not in my reading of the
RFCs, so you couldn't possibly want to do it, and qmail won't let you".
The patchfest that you have to install to get qmail to do anything useful
is just not worth it. I know a lot of people who use postfix and like it,
and if I were going to learn how to use it (for whatever reason) then I'd
be sitting down and reading the manual, and looking at some sample configs
and understanding what they do.
>> if you're not prepared to deal with this, it could be possible that
>> you're not suited to being a mail admin.
> The example I showed is safe for a newbie to install:
> - it uses "example.com" which has no MX records
> - it does not allow domain literals
> - it runs on a non-routable network address 10.0.0.0
This is in violation of the spirit (though not the letter) of RFC1918, which
says you should choose a random small subnet in the private spaces to avoid
future collisions.
> If I install this configuration on a machine under my kitchen table how
> is this a risk to the internet and other users (assuming you don't live
> in the same house or break-in).
Let's face it though, how many machines migrate from "under the kitchen
table" to "my internet facing router", and how are these people to
realistically evaluate the threats that face them. To go back to my
analogy with driving, it's legal here to learn to drive on private land
before you are 17, but that will teach you how to operate a car, not how
to anticipate the actions of other road users, and isolate hazards on roads
and deal with them - things that you have to learn to pass your driving
test. What makes running a mailserver different in your mind?
> My interst is not in showing new users how to write an open relay, most
> of the articles I've written have been about securing servers. Giving
> guidance actually helps users who don't know what they are doing.
Absolutely, but giving guidance to those users, when they haven't wanted
to actually understand the software they're using and more to the point,
why they need to, seems like a potentially thankless and even worthless
task to me at times.
> Please have a look at a previous guide I wrote for the Exim Conference
> in February, it will give you an idea of what I think we should have for
> new users.
> http://www.uit.co.uk/exim-conference/full-papers/jason-meers.pdf
Will do, thanks for the link.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
(Please use this address to reply)