Hosting Provided By

Re: Advice on MTA blacklist

From: mouss <mouss(at)netoyen.net>
Date: Thu Oct 11 2007 - 16:19:00 EDT

David B Funk wrote:
> Jo you didn't read Chris's statement closely. A conscientious mail server
> administrator will configure the SERVER to -ONLY- accept encrypted
> connections for SMTP-AUTH transactions; the server should enforce
> the encryption requirements.
>

This is a religious war declaration or what? ok, let me see what I can say ;-p

<grin>
A conscien-something admin knows that as is always the case with encryption, security depends on the implementation (code, environment, random number generation, ...) and not on the specification. For example, a conscien-something admin knows about thing like this:

http://www.henlich.de/moz-smtp/

A conscien-something knows that linking a large library like openssl in an otherwise quite safe MTA adds more opportunities for system compromise. A conscien-somthing admin prefers to be an open relay than a zombie.

A conscien-somthing admin knows that it is possible to protect logins without TLS (if data protection is needed, PGP and S/MIME provide this end-to-end, something that no server $thing can provide). sure, not all clients support (secure) authentication methods. but same goes for STARTTLS (and don't tell me about the obsolete smtps, because conscien-seomthing admins don't implement obsolete things).

A conscien-something admin knows that unless client certificates are used, starttls doesn't help against dictionary attacks performed from botnets (so you can't just block one IP). the same admin knows that deploying client certificates and/or assisting their users does not come from free, unless they work in a givernment organization financed by public taxes (but even then, a conscien-* admin won't spend people's money so frivoulously).

A conscien-something admin knows that the private key is somewhere on the system, and that protecting it does not come for free.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related spamassassin.apache.org Links users Request more information about Pantek

And of course, a conscien-something admin can setup an IPSec/ssh/* tunnel and not care about STARTTLS at all, ... and still feel consciencious. but maybe not. maybe he should still enforce STARTTLS? Come on...

</grin>

TLS is nice, but...

> Thus it does not matter what the client wants to do, the server should
> not let the client continue the SMTP-AUTH transaction until it has
> completed the STARTTLS operation (or in the case of SMTPS, it's
> already encrypted).
> Back to Skip's question, possibly the easiest way to solve his
> problem would be to run two SMTP servers, one on port 25 with full
> spam/AV scanning for regular mail traffic, one on ports 587 & 645 with
> SMTP-AUTH/TLS for his users' clients to submit messages, on that one
> have AV scanning and possibly limited spam scanning.
>

Fully agreed. Received on Thu Oct 11 16:19:29 2007

This message: [ Message body ]
Next message: mouss: "Re: 8bit encoding in mail header by SpamAssassin"
Previous message: James: "Re: MIPSpace"
In reply to: David B Funk: "Re: Advice on MTA blacklist"
Next in thread: mouss: "Re: Advice on MTA blacklist"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Fri Jul 04 2008 - 12:21:48 EDT