Firewall and NAT
Ow Mun Heng
Ow.Mun.Heng at wdc.com
Wed Nov 3 01:05:44 UTC 2004
On Tue, 2004-11-02 at 17:00, Paul Howarth wrote:
> On Mon, 2004-11-01 at 18:55, Leonard Isham wrote:
> > I suspect that these are the reasons sendmail.org recommends firewalling MSA:
> >
> > Meant to be less strict on standards compliance
> > * Addresses don't have to be fully qualified
> > * Hostnames don't have to be fully qualified
> > * Don't require "required" headers, e.g. Message-ID: and Date:
[SNIP]
> Hence the advice of firewalling it off from external
> clients. However, there is another way to prevent this, i.e. by setting
> up the MSA with the "a" daemon flag, like this:
>
> FEATURE(`no_default_msa')dnl
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> The "a" flag makes the MSA require authentication from any client
> connecting to it. This is how to ensure that only genuine roaming users
> with the right username/password can access the MSA, without leaving it
> open to anybody attempting local delivery.
Hey Paul...
How did you locate the M=Ea option. Is it anywhere in the sendmail doc?
(not online meaning)
The other concern with this and the method of using MSAs is
* It does not have any milters/filters in place. what's stopping
spam/malware etc from coming in through that path?
* How much do you trust authenticating users? When malware gets
sent (unknown to the orginator) does it send through the users
MUA (eg: if users are using Outlook(R)
I believe that sendmail is right to instruct that the MSA only be used
on internal systems. (and if there's a choice, only for the sending
system and not to accept from other connections on the LAN). I guess it
also depends, how much you trust systems within your LAN or otherwise
my 2 cents.
More information about the fedora-list
mailing list