Re: [exim] Deny vs. Drop

Top Page
Delete this message
Reply to this message
Author: Marc Sherman
Date:  
To: exim-users
Subject: Re: [exim] Deny vs. Drop
Daniel wrote:
>
> If you're referring to firewall rules,


I don't think he was. I'm pretty sure he was referring to the drop and
deny verbs in exim ACLs, which control whether or not exim terminates
the SMTP connection after sending a 5xx reply.

> you typically want to DROP
> incomming connections, and REJECT outgoing connections. DROP will send
> the packet to nowhere making you somewhat invisible and make the
> initiating connection wait and wait (this is good) However, you should
> probably REJECT connections from places you trust (like your lan) so
> your users aren't waiting like the bad guys.


That's not universally considered to be good advice. The issues are
similar to those with drop vs. deny at the SMTP layer that I mentioned
in my other message -- a zombie might just go away if the connection
isn't answered in a certain timeout, but a legitimate sender, assuming
your server to be a legitimate RFC-compliant internet server, would
probably assume a problem in the connection path caused the packets to
drop and could retry a few times before stopping. Rejecting the
connection, on the other hand, sends a clear RFC-compliant message to
legitimate (but unwanted) senders that this port is closed to them.

> -- 
> The world needs more Canada
>    - Bono


Sadly, your .sig file is quite out of date. A more accurate current
quote from Bono would be, "I am personally not just disappointed [in
Canada], I'm crushed actually."
http://www.cbc.ca/story/arts/national/2005/11/25/Arts/bono-martin-051125.html

- Marc