Re: [exim4] mixed up about terminology
Jerry Stuckle <jstuckle@attglobal.net> writes:
> On 10/6/2014 7:30 PM, lee wrote:
>> Jerry Stuckle <jstuckle@attglobal.net> writes:
>>
>>> For instance, MUAs typically connect on port 587 (at least that is the
>>> recommendation), while MTAs always use port 25. Additionally, MUAs
>>> should always be validated with signon/password, to prevent the server
>>> from becoming an open relay.
>>
>> 1: You would have to require auth on port 25 just in case a MUA
>> connects on that port. Since you could reasonably do this
>> exclusively for connections from authorised clients (i. e. clients
>> on your LAN), it doesn't seem very useful (unless you need to be
>> afraid of misbehaving clients on your own LAN).
>>
>
> No, you don't. There is nothing in the RFC's which require port 25 to
> be open to MUA's. OTOH, there is an RFC 2476 reserves port 587
> specifically for such submission.
How do you distinguish a MUA from an MTA at that point?
>> 2: When nothing but authorised clients (like non-misbehaving MUAs on the
>> LAN) can connect to port 587, how does your MTA become an open relay
>> by not requiring authentication on port 587?
>>
>
> Are you sure only authorized clients can connect? How do you know your
> local network is secure? For instance, does your router have a software
> bug which can allow someone to get in? How about your WiFi access
> point? Are you sure those are secure?
Are you sure the authentication your MTA requires is secure?
> Spammers know better than almost anyone what is secure and what isn't.
In case someone breaks in, I have more to worry about than emails being
sent. And if someone does break in, what prevents them from disabling
the authentication the MUA requires?
> And large companies and governments spend millions of dollars a year to
> secure their systems. They are constantly monitoring their logs and
> running tests, looking for holes. They use commercial gear which is
> quite expensive. They have sysadmins with years of experience in both
> administration and security. Yet they still manage to get hacked.
Their networks tend to be a bit more endangered than a small LAN at
home is.
> Are you saying you and your equipment are better than them?
You only need to be good enough.
> I know a lot about security (it comes with living in the paranoid
> security capital of the world). I've spent a lot of time securing my
> network with multiple levels of security. But I'm not naive enough to
> believe my network can't be hacked.
That's one of the problems with security. It takes a lot of time to
learn, a lot of time to implement and then a lot of time to use because
you need to enter another password all the time. And you don't even
believe it's worthwhile yourself.
>> 3: How do you deal with messages not generated by MUAs when you have
>> blocked your MTA against the LAN through requiring auth?
>>
>>
>
> I don't require authorization on port 25. But I also don't allow it.
> All authorized users must go through port 587. Unauthorized users can
> only go through port 25, and have restricted rights.
So your systems aren't functioning because messages not generated by
MUAs cannot be delivered?
--
Hallowed are the Debians!
Reply to: