![]() |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Sun, 20 Jan 2002, Derek D. Martin wrote: > > If you use a newer distro to build your mail server, you'll prolly > find that it is already configured securely. In fact, on some > distros, it will (by default) not accept mail from anywhere but > localhost, so you'll probably need to fix that. You will, OTOH, > prolly need to figure out how to KEEP it from being an open relay, if > you travel and need to be able to relay mail off your server. At least > with sendmail, this can be tricky. You'll probably have to figure out > SMTP Auth or some such. Actually the _only_ measure RedHat takes to 'secure' sendmail is to restrict access to localhost. Steps such as setting privacy options (goaway,authwarnings,novrfy,noexpn,restrictqrun,needmailhelo), implementing blacklists, and SMTP Auth are up to the user. One might also want to modify the sendmail banner to reduce overall information leakage by using the SMTP_LOGIN_MSG variable. > > I solve that problem by using ssh to access my mail system remotely, > and running my (text-based) mail client (mutt) locally on my home > machine. > Since I typically spend a good deal of time on a plane, I need to keep an off-line store of my personal mail without risking total loss if my laptop gets waylaid on the road. To meet my needs of security vs. access from multiple hosts and allow for webmail access, I only support Secure IMAP with SMTP Auth externally. Obviously, when I'm in the shell, I use SSH/Pine (as I am now). > You know, I've never used anti-virus software, and I've never had a > system infected by a virus. I solve this problem by 1) not reading my > mail with any Microsoft product, and 2) deleting any mail with > attachments that a Microsoft product might consider executable. > Actually I'd do the same with Linux-executable attachments, but I've > never received one, despite the fact that most of my friends and I use > Linux exclusively or almost exclusively... The obvious question is, if you never used anti-virus, then how could you be certain?? I'll grant you that until recently there had been nothing to worry about. Now with the advent of *nix virii, you can no longer assume *nix is safe from infection. I yearn for the the luxury of only using Linux again... but since in reality most of my clients use M$ based product and my employer uses Notes mail, I'm forced to wallow in that muck daily. My wife/daughter are Windows users and I have about 20 people for which I provide remote mail services (some of which are also windows users). I chose to implement MailScanner/Sophos to protect my sanity. I know that (unless I'm hit by a new variant) my inbound and outbound mail is clean and I also get warned if an infected host starts trying to send virii infected messages. > > This technique may not work with your family (many people find > auto-executing or clicking on executable attachments irresistable), > but if you follow the above policy, I can almost guarantee that you'll > never get an e-mail-borne virus. > My family has no problem ignoring attachments - not just because I trust in MailScanner to catch/contain the attachment - but because I spent some time demonstrating the effects of virii to the two of them on a couple of Windows-based PCs. Every host on our network has anti-virus resident which queries the central installation for definition updates at least 4 times per day. We also setup specific domain workstation/user/group policies on our home PDC; trust me when I say their workstations and Internet applications are at least as secure as the latest available patch. (before anyone goes a' windows bashin' - that last statement is true of any OS. We can only protect against that which we know or can anticipate. Every OS has had, and will continue to have, undiscovered vulnerabilities; that's an accepted fact outside of Redmond.) I try to keep our home environment robust and integrated as it broadens my personal skillset. The Linux servers talk to my 2K PDC and 2K/XP clients and everyone gets secure seamless access to the necessary resources. Hell these days I run X off my SPARC while on my windows laptop upstairs working in the dreaded Excel application... woohooo 1997 here I come again! With that said, all I am saying is that if an individual chooses to host a public service off their cablemodem/dsl connection, then they should take the time to learn how to operate/secure it! Go check out David Ranch's TrinityOS and read the documentation, Run Jay Beale & Co.'s Bastille on the thing - whatever you feel comfortable with. Just dont hang it out and forget about it - or it will get compromised. Sorry for ranting/droning on - haven't slept in 36+ hours... going to bed now... apologies if this jumped track a bit. Regards, --Tim