ATT's change of domain name

[tlyons at digitalvoodoo.org (Tim Lyons)]

On Sun, 20 Jan 2002, Derek D. Martin wrote:

> 
> If you use a newer distro to build your mail server, you'll prolly
> find that it is already configured securely.  In fact, on some
> distros, it will (by default) not accept mail from anywhere but
> localhost, so you'll probably need to fix that.  You will, OTOH,
> prolly need to figure out how to KEEP it from being an open relay, if
> you travel and need to be able to relay mail off your server. At least
> with sendmail, this can be tricky.  You'll probably have to figure out
> SMTP Auth or some such.

Actually the _only_ measure RedHat takes to 'secure' sendmail is to
restrict access to localhost.  Steps such as setting privacy options
(goaway,authwarnings,novrfy,noexpn,restrictqrun,needmailhelo),
implementing blacklists, and SMTP Auth are up to the user.

One might also want to modify the sendmail banner to reduce overall 
information leakage by using the SMTP_LOGIN_MSG variable.

> 
> I solve that problem by using ssh to access my mail system remotely,
> and running my (text-based) mail client (mutt) locally on my home
> machine.
> 

Since I typically spend a good deal of time on a plane, I need to keep an
off-line store of my personal mail without risking total loss if my laptop
gets waylaid on the road.  To meet my needs of security vs. access from
multiple hosts and allow for webmail access, I only support Secure IMAP
with SMTP Auth externally.

Obviously, when I'm in the shell, I use SSH/Pine (as I am now).

> You know, I've never used anti-virus software, and I've never had a
> system infected by a virus.  I solve this problem by 1) not reading my
> mail with any Microsoft product, and 2) deleting any mail with
> attachments that a Microsoft product might consider executable.
> Actually I'd do the same with Linux-executable attachments, but I've
> never received one, despite the fact that most of my friends and I use
> Linux exclusively or almost exclusively...

The obvious question is, if you never used anti-virus, then how could you
be certain??  I'll grant you that until recently there had been nothing to
worry about.  Now with the advent of *nix virii, you can no longer assume
*nix is safe from infection.

I yearn for the the luxury of only using Linux again... but since in
reality most of my clients use M$ based product and my employer uses Notes
mail, I'm forced to wallow in that muck daily.  My wife/daughter are
Windows users and I have about 20 people for which I provide remote mail
services (some of which are also windows users).

I chose to implement MailScanner/Sophos to protect my sanity.  I know that
(unless I'm hit by a new variant) my inbound and outbound mail is clean
and I also get warned if an infected host starts trying to send virii
infected messages.
 
> 
> This technique may not work with your family (many people find
> auto-executing or clicking on executable attachments irresistable),
> but if you follow the above policy, I can almost guarantee that you'll
> never get an e-mail-borne virus.
> 

My family has no problem ignoring attachments - not just because I trust
in MailScanner to catch/contain the attachment - but because I spent some
time demonstrating the effects of virii to the two of them on a couple of
Windows-based PCs.  Every host on our network has anti-virus resident
which queries the central installation for definition updates at least 4
times per day.  We also setup specific domain workstation/user/group
policies on our home PDC; trust me when I say their workstations and
Internet applications are at least as secure as the latest available
patch.

(before anyone goes a' windows bashin' - that last statement is true of
any OS.  We can only protect against that which we know or can anticipate.  
Every OS has had, and will continue to have, undiscovered vulnerabilities;
that's an accepted fact outside of Redmond.)

I try to keep our home environment robust and integrated as it broadens my
personal skillset.  The Linux servers talk to my 2K PDC and 2K/XP clients
and everyone gets secure seamless access to the necessary resources.  
Hell these days I run X off my SPARC while on my windows laptop upstairs
working in the dreaded Excel application... woohooo 1997 here I come
again!

With that said, all I am saying is that if an individual chooses to host a
public service off their cablemodem/dsl connection, then they should take
the time to learn how to operate/secure it!  Go check out David Ranch's
TrinityOS and read the documentation, Run Jay Beale & Co.'s Bastille on
the thing - whatever you feel comfortable with.  Just dont hang it out and
forget about it - or it will get compromised.

Sorry for ranting/droning on - haven't slept in 36+ hours... going to bed 
now... apologies if this jumped track a bit.

Regards,
--Tim