John Andersen wrote:
On Friday 29 December 2006 02:00, Sandy Drobic wrote:
It is indeed not the best practise.
By adding the line: mynetworks = 192.168.2.0/24, 127.0.0.0/8 you can prevent this, but Yast does not offer that as best I can see, so you have to remember to do it manually. If you set mynetworks manually, the option mynetworks_style is skipped. You could also use "mynetworks_style = host" to grant relay access to the server only.
True enough about the mynetworks setting over riding mynetworks_style which is precisely why i recommended this in my post above.
Its not that I don't know how to do this its just a trap for the unwary and it also affects SLES.
The unwary have no business running a mailserver. (^-^)
Setting mynetworks_style = host is sort of self defeating unless you expect everybody in the company to walk over to your SLES machine to send email. Host style blocks the local network, leaving the only machine capable of sending mail as the server itself.
Usually you set up authentication for clients, servers that don't support smtp auth can be added to $mynetworks. Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
In the end it comes down to the old saying "If you are playing with Linux you should know what you are doing, especially if you are configuring a network service accessable by the external internet".
The point is that the mynetworks_style choices are somewhat limited and next to useless for a product like SLES or even opensuse when used as a mail server, so yast should ALWAYS ignore these options and insist on having the user configure mynetworks.
That I can agree to. If you could set up authentication in the next step also, I would start cheering. (^-^)
My ISP runs a daemon that periodically tries to relay a test message thru any machine that has port 25 open. I've seen it in the logs, and called their security desk. They explained it was their policy to do these tests, and they shut off your cable modem if the relay succeeds.
I like your ISP. Wish some others would adopt that practise, too. When I saw someone with the sender address smtphunter@daum.net try to relay using my server, I first thought "Oh, a relay probe from an anti spam fighter". It was probably exactly the opposite, a spammer looking for open relays. Though it seems he stopped checking some month ago. Maybe ordb.org is indeed not needed anymore. Currently I think that the biggest threat are infected/insecure machines within your network. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org