Re: Cool things to do with server
On Mon, 23 Mar 2015 06:58:21 +1000
Stuart Longland <stuartl@longlandclan.yi.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/03/15 09:11, Joris Bolsens wrote:
> >> Mail server,
> > I thought about this, but from what i understand, mail servers are
> > notoriously difficult to secure properly.
>
> The crucial bit is ensuring you don't openly relay all mail. Only
> traffic from your authorised users.
>
> That's the major tricky bit. Nothing worse than coming home to a
> modem running red hot and a mail queue crammed with Viagra spam.
> (Been there, done that. On dial-up too no less.)
There are basically two ways, with slight variations: you either relay
only for authenticated senders, and organise your network machines to
authenticate, or if your mail server is within your private network,
you can relay only for hosts in that network address range. If your
email server is outside your network, and not accessible by VPN, only
the authentication method is possible.
>
> The only issue you might hit is port 25/tcp being blocked by your ISP.
> You may have to relay outbound email via their SMTP server.
I think that's quite rare, as I still get vast amounts of malware from
domestic connections. What is more likely is that outgoing mail will
not be accepted by many people for a variety of perfectly good
spam-reducing reasons. Many ISPs don't care if their IP address blocks
are on email blacklists, and won't make any attempt to have them
removed. Many will not provide means of setting a proper PTR record for
the IP address. In some parts of the world, it's difficult and/or
expensive to obtain a fixed IP address, and while some kind of job can
be done using a dynamic address, it's not ideal and almost certainly
the address pool will be blacklisted, requiring the use of an outgoing
smarthost.
--
Joe
Reply to: