On Friday 29 December 2006 13:09, Sandy Drobic wrote:
Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
Well I already do egress filtering, on 25, so I guess we agree there. As for SMTP auth on the inside network, it does add a bit of complexity, what with generating the certificates etc. Once done, it works from anywhere, which is nice, especially for the roaming laptop crowd. (As long as your firewall allows them to connect to your OUTSIDE nic when they are INSIDE which, I don't thing SuSE firewall does, but Shorewall will.). It turns out SLES9 does set the mynetworks, but it includes IPV6 networks as well which provides a leak. opensuse does not appear to handle mynetworks at all. -- _____________________________________ John Andersen