Re: Does email server OS needs clamav?
On Fri, 04 Dec 2009, Sthu Deus wrote:
> Personally, I do not trust the local network I have the deal with - much
> more than the Internet... So, for me it is much better to protect the
> server - to let it working as it should providing its services rather than
> try to explain the people the primitive rules on IT-security - in other
> words, let it be up to them, separately.
However, assuming it is also an outbound MTA, you should be aware that a
AV-less, content-filter-less MTA will forward actively harmful data to the
world at large, and thus it will be blacklisted in no time flat.
And it will be a well deserved blacklisting, obviously. Your "safer server"
_would_ be a danger to everyone else in that situation.
Here at work, we go through great lengths to make sure no virus or spam
can get through the MTAs, either inbound _or_ outbound. Anything we
wouldn't let get inside, must NOT go outside either.
There is more to it too: we have strict rate limiting and controls (I love
postfix) to catch any internal box which is doing funny stuff. Our clients
and servers are compelled to behave where technically possible. We can't
always stop spam or phish, but we _can_ detect and stop a spam-run, and DoS
attacks from the inside or outside do _not_ get through (while a massive one
can bring down the MTA cluster, it will die there and not get past it).
Every box (_all_ servers and _all_ clients) are forced to go through the MTA
clusters for port 25 access. All our firewalls (and not just the border
firewalls) block any sort of port 25 traffic which doesn't have one of the
endpoints in the MTA clusters.
That's called good neigbour policy, the internet would be a much better
place if everyone did that (filter out crap that is trying to leave their
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot