On Fri, Jan 16, 2009 at 07:08:58AM +0000, W B Hacker wrote:
> platform and IP:
>
> - do not permit any services 'other than' an all-virtual-user MTA on one
> 'server' (no local accounts).
>
> - permit NO mail services on another 'server' - say one with web sites.
>
> The webish one (or external fw) should block any outbound traffic
> destined for port 25.
>
> It *could* permit logging-in to its sibling on port 587 for controlled
> smarthost use. At that point, cron jobs aside, there are no longer any
> 'non-smtp' sessions, so the normal AUTH and smtp session acl's apply.
>
> Use of virtualized 'servers' means you do not necessarily need two
> physical boxen - though I'd still recommend it.
You're completely correct of course and I must say your suggestions have
given me a few ideas on where to move to in the future. One of my problems
is that these are live boxes with lots of happy customers and the boxes are
all running non-Xen kernels and they're not new enough for KVM. I can't
really use VirtualBox/VMWare as I refuse to put GUI's on the boxes because
they're servers.
However there's a distinct possibility that I could run up some older box
to behave as an outgoing mail server so as to centralize the filtering. I
already filter outbound traffic for regular users (and the web server user
more so for all the lame PHP scripts) so port 25 traffic isn't a problem.
But an outbound mail server like this would help with this issue because
most comment/419 spammers (my biggest problem) hop around different sites on
different web servers. In this case it would all be logged centrally so it
would be much easier to pull blocking stats from.
Thanks for your suggestions I'll see what I can come up with.
Regards,
Colin.
--
Then graphics games came along and the computer using portion of the human race
forgot all about 500,000 years of language evolution and went straight back to
the electronic equivalent of banging rocks together - the point'n'click game
-
http://www.douglasadams.com/creations/infocomjava.html
