List Info

Thread: Re: Rép. : How to get Postfix to




Re: Rép. : How to get Postfix to
country flaguser name
United States		 2007-08-17 09:14:14 
What about putting the Maia/postfix box in the DMZ, have the
firwall NOT accept mail, but rather forward all port 25
traffic to that box and let it, with the proper recipient
verification, accept and reject mail?  Problems all solved.

As long as you're accepting all mail and then bouncing,
you're pretty much screwed no matter which way you turn.


-- 
Rick Zeman
Manager of Information Technology
Melwood Horticultural Training Center
301.599.4574 - HelpDesk
301.599.4560 - MyDesk
http://www.melwood.org

>>> "Mike Abraham" <Mabrahamconestogac.on.ca> 8/17/2007 10:02:36 AM
>>>
The problem I'm faced with though is our Firewall
(Sidewinder) blindly
accepts all incoming mail, then passes it to our mail
gateway (Maia)
which rejects unknown recipient. So I'm actually rejecting
it after it's
arrived causing headaches for the Firewall to try & send
back to bogus
sender address (waits for it to expire - 4 days).

Secure Computing (Sidewinder) says it's our MTA's fault for
bouncing
the message - it should discard it. Verifying the recipient
on the
Sidewinder opens a whole new can of worms (tying up the
Firewall, etc).

I've thought about placing the Maia on the outside of the
Firewall, but
I'm hesitant on leaving it unprotected in the DMZ.

It's a no-win. Either way.

Mike Abraham




>>> On 8/17/2007 at 9:28 AM, "Éric
Bellavance"
<eric.bellavancefinances.gouv.qc.ca> wrote:
  Mike,
   
  On my side, the Postfix server check for user against my
internal
  server. If the user doesnt exist the connection is closed
with the
  sender server.
   
  In  the main.cf I added
   
  smtpd_recipient_restrictions=reject_unverified_recipient
  unverified_recipient_reject_code=550
   
  With this option the recipient is verified as soon as the
rcpt to
  command is passed to the server and connexion is closed if
no
user...
   
  Hope this help,
   
  Eric 
   
  -------------------------------------------------------
  Eric Bellavance
  Analyste en informatique
  Reseaux et services specialises
  Direction Principale des Systemes d'Information
  Ministere des Finances
  Tel: (418) 528-1901
  Cell: (418) 569-9174
  Courriel: eric.bellavancefinances.gouv.qc.ca 
   
  
  
 >>> "Mike Abraham" <Mabrahamconestogac.on.ca> 08/16/07 11:12 pm >>>
  Does anyone know how to tell PostFix to discard Unknown
User
messages
  instead of rejecting with 550 - User Unknown  ?????
  
  We're getting hit with a 'ton' of bogus sender/recipient
messages
tying
  up
  our servers with generation of back-scatter.
  
  Short of using header & body _checks, I can't find a
way to do this.
  
  
  
  Thanks
  
  Mike Abraham
  Conestoga College
  
  _______________________________________________
  Maia-users mailing list
  Maia-usersrenaissoft.com 
  http://www.renaissoft.com/mailman/listinfo/maia-users 
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com 
http://www.renaissoft.com/mailman/listinfo/maia-users

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: Rép. : How to get Postfix to
country flaguser name
United States		 2007-08-17 11:05:09 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Aug 17, 2007, at 9:14 AM, Rick Zeman wrote:

> What about putting the Maia/postfix box in the DMZ,
have the  
> firwall NOT accept mail, but rather forward all port 25
traffic to  
> that box and let it, with the proper recipient
verification, accept  
> and reject mail?  Problems all solved.
>


More to the point, a firewall should not be handling any
protocols or  
doing filtering within those, it should stay on a lower
layer of the  
network stack.  It would be impossible for a firewall to
keep up with  
all possible protocols and applications.   Leave the
application  
security to the application layer.

If you are depending on a "firewall" to enforce
application security,  
you have a major security problem - a firewall is not really
much  
security at all.  It's just a small lock on the front door.

OTOH, a properly configured and maintained server can live
on the  
outside without a firewall without any security risk.

The proper thing for a firewall to do, is to forward
requests on to  
the proper server for only the advertised services, and
block  
everything else.  It should not in any way alter or handle
the  
traffic itself, but merely make sure traffic is limited to
the proper  
channels.

I know that the postfix mailing list was at one time (and
maybe still  
is?) annoyed with several firewall products like this that
interfere  
with proper email flow.  I think you'll find the same advice
there,  
but with a touch more venom directed at these firewalls...
;)


David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGxcc4Uy30ODPkzl0RAoC7AKDU+Pv6Z8mPp1vcRcrByitK1eDesACg
h4Mm
58NJ0PgPEE0zLqwybSjXiGg=
=+qk1
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: Rép. : How to get Postfix to
country flaguser name
Canada		 2007-08-17 14:48:33 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Morton wrote:
> 
> More to the point, a firewall should not be handling
any protocols or  
> doing filtering within those, it should stay on a lower
layer of the  
> network stack.

Just to add a bit to this point, it's one thing for a
firewall to be
accepting (and forwarding) traffic addressed to port 25, and
quite
another for it to be acting as an accepting MTA on that
traffic (which
seems to be what Mike is describing).

Most firewalls that offer this kind of built-in SMTP server
functionality do so as a "convenience", but it's
also a feature that can
usually be disabled in the firewall's configuration.  Turn
off the SMTP
server feature of the firewall, and then port 25 becomes
just any other
port whose forwarding rules you can define.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGxfuRGmqOER2NHewRAnoxAKCQTbrLf0YCTF5j1enhmW4okZCNGACf
akF8
pkFqg9Ya3Agkl15vOdde4/I=
=l8Kw
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )