[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [exim4] mixed up about terminology

Jerry Stuckle <jstuckle@attglobal.net> writes:

> On 10/6/2014 7:30 PM, lee wrote:
>> Jerry Stuckle <jstuckle@attglobal.net> writes:
>> 
>>> For instance, MUAs typically connect on port 587 (at least that is the
>>> recommendation), while MTAs always use port 25. Additionally, MUAs
>>> should always be validated with signon/password, to prevent the server
>>> from becoming an open relay.
>> 
>> 1:  You would have to require auth on port 25 just in case a MUA
>>     connects on that port.  Since you could reasonably do this
>>     exclusively for connections from authorised clients (i. e. clients
>>     on your LAN), it doesn't seem very useful (unless you need to be
>>     afraid of misbehaving clients on your own LAN).
>>
>
> No, you don't.  There is nothing in the RFC's which require port 25 to
> be open to MUA's.  OTOH, there is an RFC 2476 reserves port 587
> specifically for such submission.

How do you distinguish a MUA from an MTA at that point?

>> 2:  When nothing but authorised clients (like non-misbehaving MUAs on the
>>     LAN) can connect to port 587, how does your MTA become an open relay
>>     by not requiring authentication on port 587?
>> 
>
> Are you sure only authorized clients can connect?  How do you know your
> local network is secure?  For instance, does your router have a software
> bug which can allow someone to get in?  How about your WiFi access
> point?  Are you sure those are secure?

Are you sure the authentication your MTA requires is secure?

> Spammers know better than almost anyone what is secure and what isn't.

In case someone breaks in, I have more to worry about than emails being
sent.  And if someone does break in, what prevents them from disabling
the authentication the MUA requires?

> And large companies and governments spend millions of dollars a year to
> secure their systems.  They are constantly monitoring their logs and
> running tests, looking for holes.  They use commercial gear which is
> quite expensive.  They have sysadmins with years of experience in both
> administration and security.  Yet they still manage to get hacked.

Their networks tend to be a bit more endangered than a small LAN at
home is.

> Are you saying you and your equipment are better than them?

You only need to be good enough.

> I know a lot about security (it comes with living in the paranoid
> security capital of the world).  I've spent a lot of time securing my
> network with multiple levels of security.  But I'm not naive enough to
> believe my network can't be hacked.

That's one of the problems with security.  It takes a lot of time to
learn, a lot of time to implement and then a lot of time to use because
you need to enter another password all the time.  And you don't even
believe it's worthwhile yourself.

>> 3:  How do you deal with messages not generated by MUAs when you have
>>     blocked your MTA against the LAN through requiring auth?
>> 
>> 
>
> I don't require authorization on port 25.  But I also don't allow it.
> All authorized users must go through port 587.  Unauthorized users can
> only go through port 25, and have restricted rights.

So your systems aren't functioning because messages not generated by
MUAs cannot be delivered?


-- 
Hallowed are the Debians!
Reply to: