MSA & MTA & Milters Was [Re: Firewall and NAT]

Wed Nov 3 03:31:09 UTC 2004

On Wed, 2004-11-03 at 10:37, Alexander Dalloz wrote:
> Am Mi, den 03.11.2004 schrieb Ow Mun Heng um 3:13:

> > How can one Explicitly bind the milters then?
> 
> Paul posted it recently, so did I. It is set via the sendmail.mc in the
> sendmail.cf. See Paul's posting:
> 
> http://marc.theaimsgroup.com/?l=fedora-list&m=109845682807103&w=2
> http://marc.theaimsgroup.com/?l=fedora-list&m=109884722321154&w=2

Thanks. (Do you have the title of your email instead? I don't have I-net
access but I have like 40,000 mails from Fedora Mail List cached
Locally)

> 
> > > >       * How much do you trust authenticating users? When malware gets
> > > >         sent (unknown to the orginator) does it send through the users
> > > >         MUA (eg: if users are using Outlook(R)
> > > 
> > > In which way is that specific for using the MSA? If you have a worm on a
> > > Windows[tm] machine being able to use the auth data saved within the
> > > mail program, then it does not matter whether you use the MTA or the
> > > MSA. As server administrator you can hardly handle such cases. Only if
> > > you have a close eye on the logs and you observer suspicious sendings.
> > 
> > That statement was closely related to my 1st point eg: If the MSA does
> > not run any milters. Then it _would_ matter wouldn't it?
> 
> I don't understand why that depends on any milter? Sendmail handles the
> authentication by using SASL. How should any daemon (not Sendmail
> specific question) distinguish valid and "stolen" auth data? Do you have
> any sophistic milter in mind?

You misunderstood me. I'm not talking about auth and the like. (meaning,
since outlook (r) caches the auth etc.. it's meaningless actually once
comprimised) I was merely stating that MSAs, (like mine) does not have
milters binded. (at least I think it doesn't, whcih I need to check)  

> 
> > > > I believe that sendmail is right to instruct that the MSA only be used
> > > > on internal systems. (and if there's a choice, only for the sending
> > > > system and not to accept from other connections on the LAN). I guess it
> > > > also depends, how much you trust systems within your LAN or otherwise
> > > 
> > > If you don't open the default MSA - means without authentication
> > > enforcement -, then I wouldn't see the problem you see.
> > 
> > Okay, let's put it this way. For users such as myself, who uses *nix and
> > is sure that there are _no_ malware that affects 99% of the non
> > *nix/*bsd systems, then usage of the MSA w/o any milters is useful.
> 
> Please explain me in which way you see here a difference to using the
> MTA. You refer to the things Leonard Isham quoted here in this thread?

Well.. Here's assuming that the MSA is ran w/o any milters, only running
via localhost/ loopback/only for auth'ed (*nix clients?). This is _only_
for to save a few cpu cycles/load.

> > If however, the original poster only wanted to open up a MTA/MSA for his
> > user that has port 25 blocked by the ISP, I see no reason in just
> > running another MTA in another port for that user. (but frankly, all
> > that trouble for the 1 user? hehe) Better yet, port-forward the default
> > port 25 to another server running a MTA on say port 2525. That way,
> > there's only 1 listening MTA.
> 
> You need to run the MTA on port 25 if you want to receive mail by
> unknown users / other servers. There may be scenarios where users with a
> "private" mail server on a dial-in line don't need to receive mail by
> other servers. Ok, those could close the MTA.

Unless they, like me, run fetchmail to feed 
the mails to the MTA for the milters to work