John Andersen wrote:
On Friday 29 December 2006 13:09, Sandy Drobic wrote:
Currently best practises recommend to set up smtp auth/TLS for clients and firewall outgoing port 25 for all other machines except your mailserver, thus forcing all internal clients to use your mailserver. Even if a windows pc is infested with spamware, that should prevent the zombie from spreading the junk.
Well I already do egress filtering, on 25, so I guess we agree there.
As for SMTP auth on the inside network, it does add a bit of complexity, what with generating the certificates etc.
You only need to create one certificate for the server. If it is not an official certificate you might need to import it to your clients certificate storage. If you don't need plaintext mechanisms for authentication you can also use unencrypted connections. Or do you mean authentication based on the certificate? That is indeed a bit more complicated.
Once done, it works from anywhere, which is nice, especially for the roaming laptop crowd. (As long as your firewall allows them to connect to your OUTSIDE nic when they are INSIDE which, I don't thing SuSE firewall does, but Shorewall will.).
When you use dhcp for your clients you can give them the internal dns server ip with the internal mailserver ip, if they login within your network. Otherwise the external dns will return the external ip of your mailserver. Here in Europe most networks only have a few official ip, so most firewalls use NAT, and the mailserver itself is using a private ip.
It turns out SLES9 does set the mynetworks, but it includes IPV6 networks as well which provides a leak. opensuse does not appear to handle mynetworks at all.
As long as IPv6 is not used in commercial practise, I'll simply ignore it and deactivate it on the servers I am running. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org