Re: [exim4] mixed up about terminology

To: debian-user@lists.debian.org
Subject: Re: [exim4] mixed up about terminology
From: Jerry Stuckle <jstuckle@attglobal.net>
Date: Wed, 08 Oct 2014 22:47:08 -0400
Message-id: <[🔎] 5435F72C.3060705@attglobal.net>
In-reply-to: <[🔎] 87ppe2m5un.fsf@yun.yagibdah.de>
References: <[🔎] 87ppe68pzn.fsf@reader.local.lan> <[🔎] 5431A716.1090401@attglobal.net> <[🔎] 20141005203826.GI17281@copernicus.demon.co.uk> <[🔎] 5431C7FA.3050800@attglobal.net> <[🔎] 87wq8e6pfs.fsf@reader.local.lan> <[🔎] 5431F37A.1050909@attglobal.net> <[🔎] 87sij17urh.fsf@reader.local.lan> <[🔎] CAAr43iMYEdVxKVmHFBiUzuFgE7SxorXcnt7r3vdPGdx__=RGTw@mail.gmail.com> <[🔎] 87lhot7cx8.fsf@reader.local.lan> <[🔎] 54329496.2030108@attglobal.net> <[🔎] 20141006142643.GN17281@copernicus.demon.co.uk> <[🔎] 5432AEBC.10403@attglobal.net> <[🔎] 20141006181026.1c64f013@jresid.jretrading.com> <[🔎] 5432DA41.4010207@attglobal.net> <[🔎] 20141006194106.666907b9@jresid.jretrading.com> <[🔎] 5432EFB9.8030600@attglobal.net> <[🔎] 878ukshj3r.fsf@yun.yagibdah.de> <[🔎] 5434A2F3.30304@attglobal.net> <[🔎] 87ppe2m5un.fsf@yun.yagibdah.de>

On 10/8/2014 8:42 PM, lee wrote:
> Jerry Stuckle <jstuckle@attglobal.net> writes:
> 
>> On 10/6/2014 7:30 PM, lee wrote:
>>> Jerry Stuckle <jstuckle@attglobal.net> writes:
>>>
>>>> For instance, MUAs typically connect on port 587 (at least that is the
>>>> recommendation), while MTAs always use port 25. Additionally, MUAs
>>>> should always be validated with signon/password, to prevent the server
>>>> from becoming an open relay.
>>>
>>> 1:  You would have to require auth on port 25 just in case a MUA
>>>     connects on that port.  Since you could reasonably do this
>>>     exclusively for connections from authorised clients (i. e. clients
>>>     on your LAN), it doesn't seem very useful (unless you need to be
>>>     afraid of misbehaving clients on your own LAN).
>>>
>>
>> No, you don't.  There is nothing in the RFC's which require port 25 to
>> be open to MUA's.  OTOH, there is an RFC 2476 reserves port 587
>> specifically for such submission.
> 
> How do you distinguish a MUA from an MTA at that point?
>

MUAs are supposed to use Port 587, as indicated by RFC 2476.  MTAs use
Port 25.

But if you don't know the difference between an MTA and an MUA, there is
no way I can help you.

>>> 2:  When nothing but authorised clients (like non-misbehaving MUAs on the
>>>     LAN) can connect to port 587, how does your MTA become an open relay
>>>     by not requiring authentication on port 587?
>>>
>>
>> Are you sure only authorized clients can connect?  How do you know your
>> local network is secure?  For instance, does your router have a software
>> bug which can allow someone to get in?  How about your WiFi access
>> point?  Are you sure those are secure?
> 
> Are you sure the authentication your MTA requires is secure?
> 

Yes.  Are you sure your MTA which requires NO authentication is secure?
 Do you also run your systems with no password on root?

>> Spammers know better than almost anyone what is secure and what isn't.
> 
> In case someone breaks in, I have more to worry about than emails being
> sent.  And if someone does break in, what prevents them from disabling
> the authentication the MUA requires?
> 

If you don't have authentication on your MTA, anyone who gets into your
network can send whatever emails they want.  Do you also run your
systems with no password on root?

>> And large companies and governments spend millions of dollars a year to
>> secure their systems.  They are constantly monitoring their logs and
>> running tests, looking for holes.  They use commercial gear which is
>> quite expensive.  They have sysadmins with years of experience in both
>> administration and security.  Yet they still manage to get hacked.
> 
> Their networks tend to be a bit more endangered than a small LAN at
> home is.
> 

A false assumption.  Anyone connected to the internet can be endangered.

>> Are you saying you and your equipment are better than them?
> 
> You only need to be good enough.
> 

Which requires a certain level of security - including authentication to
ANY resource on the network.


>> I know a lot about security (it comes with living in the paranoid
>> security capital of the world).  I've spent a lot of time securing my
>> network with multiple levels of security.  But I'm not naive enough to
>> believe my network can't be hacked.
> 
> That's one of the problems with security.  It takes a lot of time to
> learn, a lot of time to implement and then a lot of time to use because
> you need to enter another password all the time.  And you don't even
> believe it's worthwhile yourself.
> 

Yup, and it only takes a little time for a hacker or spammer to break an
insecure system.

But how do you say I don't believer it's worthwhile?  Where have I EVER
said anything of the sort?  I KNOW security - and what it entails.

>>> 3:  How do you deal with messages not generated by MUAs when you have
>>>     blocked your MTA against the LAN through requiring auth?
>>>
>>>
>>
>> I don't require authorization on port 25.  But I also don't allow it.
>> All authorized users must go through port 587.  Unauthorized users can
>> only go through port 25, and have restricted rights.
> 
> So your systems aren't functioning because messages not generated by
> MUAs cannot be delivered?
> 
> 

All of my messages generated by MUAs are delivered just fine.

Jerry

Reply to:

Follow-Ups:
- Re: [exim4] mixed up about terminology
  - From: lee <lee@yagibdah.de>

References:
- [exim4] mixed up about terminology
  - From: Harry Putnam <reader@newsguy.com>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Brian <ad44@cityscape.co.uk>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Harry Putnam <reader@newsguy.com>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Harry Putnam <reader@newsguy.com>
- Re: [exim4] mixed up about terminology
  - From: Joel Rees <joel.rees@gmail.com>
- Re: [exim4] mixed up about terminology
  - From: Harry Putnam <reader@newsguy.com>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Brian <ad44@cityscape.co.uk>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Joe <joe@jretrading.com>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: Joe <joe@jretrading.com>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: lee <lee@yagibdah.de>
- Re: [exim4] mixed up about terminology
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: [exim4] mixed up about terminology
  - From: lee <lee@yagibdah.de>

Prev by Date: Re: [exim4] mixed up about terminology
Next by Date: Re: question about systemd
Previous by thread: Re: [exim4] mixed up about terminology
Next by thread: Re: [exim4] mixed up about terminology
Index(es):
- Date
- Thread