[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [exim4] mixed up about terminology

On 10/6/2014 7:30 PM, lee wrote:
> Jerry Stuckle <jstuckle@attglobal.net> writes:
> 
>> For instance, MUAs typically connect on port 587 (at least that is the
>> recommendation), while MTAs always use port 25. Additionally, MUAs
>> should always be validated with signon/password, to prevent the server
>> from becoming an open relay.
> 
> 1:  You would have to require auth on port 25 just in case a MUA
>     connects on that port.  Since you could reasonably do this
>     exclusively for connections from authorised clients (i. e. clients
>     on your LAN), it doesn't seem very useful (unless you need to be
>     afraid of misbehaving clients on your own LAN).
>

No, you don't.  There is nothing in the RFC's which require port 25 to
be open to MUA's.  OTOH, there is an RFC 2476 reserves port 587
specifically for such submission.

> 2:  When nothing but authorised clients (like non-misbehaving MUAs on the
>     LAN) can connect to port 587, how does your MTA become an open relay
>     by not requiring authentication on port 587?
> 

Are you sure only authorized clients can connect?  How do you know your
local network is secure?  For instance, does your router have a software
bug which can allow someone to get in?  How about your WiFi access
point?  Are you sure those are secure?

Spammers know better than almost anyone what is secure and what isn't.

And large companies and governments spend millions of dollars a year to
secure their systems.  They are constantly monitoring their logs and
running tests, looking for holes.  They use commercial gear which is
quite expensive.  They have sysadmins with years of experience in both
administration and security.  Yet they still manage to get hacked.

Are you saying you and your equipment are better than them?

I know a lot about security (it comes with living in the paranoid
security capital of the world).  I've spent a lot of time securing my
network with multiple levels of security.  But I'm not naive enough to
believe my network can't be hacked.

> 3:  How do you deal with messages not generated by MUAs when you have
>     blocked your MTA against the LAN through requiring auth?
> 
> 

I don't require authorization on port 25.  But I also don't allow it.
All authorized users must go through port 587.  Unauthorized users can
only go through port 25, and have restricted rights.

Jerry
Reply to: