[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mail Server Architecture

This is a very dangerous approach to take, relying solely on the
final mail reader's client to correctly handle malicious messages.

Dangerous is a fact of life, dealing with Windows workstations. I'd rather deal with a client mishandling a malicious message than have my MTA rooted because I didn't apply the latest patch to clamav or spamassasin or having any of these 3rd party software crash the MTA because of a bug. Theoretically, I believe it would be better to have the MTA filter spam and viruses, but I don't trust 3rd party software, I trust OpenBSD software.

Security exposure aside, if your architecture can reject and drop
the most common "empty" virus (worm, etc) email messages as
they arrive at your edge-facing MTA, you reduce the disk storage and
other resources wasted in storing a huge volume of garbage messages.

That's where OpenBSD's spamd / greylisting comes in.

It's a heck of a lot easier to scale-up your MX pool than it is to
upgrade the mail spool and desktop clients with more disk and CPU.

If you're dealing with Windows, it's foolish NOT to have client-side virus protection. Thus, upgrading the desktop clients is a fact of life in a Microsoft environment. Check out this scenario: a user, with java installed, goes to a website and boom, Norton pops up saying it quaranteened a trojan; you can't live with out workstation virus protection. My original post gave other examples for the client.

Bayesian spam filtering is pretty much the only exception,
it needs to be individualized. All other AV/Antispam (in a
corporate environment) is most effective when centralized.

I agree in theory, as mentioned above.

1. Workstations often have Norton disabled, through user ignorance,
carelessness or automatically by malware. This opens a channel
for viruses sent by known and (foolishly) trusted corespondents.

With Norton setup in a server/client configuration, you have the ability to disable client manipulation.

2. Open source virus tools like ClamAV use an independent database
that is often updated sooner than Norton et.al. and is often
more comprehensive.

I like Clamwin (based on ClamAV), but it does not provide on-access scanning like Norton. On-access scanning is what caught that java trojan I mentioned above. Norton's response time isn't bad enough for me to look for an alternative.

And I'm not just saying "use something other than sendmail on the
outermost edge" because I am all too aware of the long history of
remotely exploitable sendmail vulnerabilities, but also because if
you are going to "chain" transports for security, you gain the most
by using different MTAs for the "outside" and the "inside". Otherwise
a script kiddie bearing a "0day sendmail on openBSD on intel" sploit
who compromises your internet-facing ("RELAY" in the diagram)
server won't delay long in using the firewall-evading tunnel to use the
same tool to take over the internal ("LOCAL_DELIVERY") host.

I've been playing with OpenBSD for around 5 years. I vaguelly recall only one security alert for sendmail in all that time (I could be wrong on this). I also vaguelly recall postfix having a couple of security alerts within the last couple of weeks (I could be wrong on this). And Exim.... I'm more scared of a 0day exploits on those 3rd party products than OpenBSD's sendmail. Plus you miss a subtle point I was trying to get across. As an network administrator, I don't want to have to keep track of security alerts of all these 3rd party products I use. It's time consuming. I'd rather keep just track of just OpenBSD security alerts. If sendmail has a security alert and OpenBSD is vulnerable, OpenBSD will let me know pretty quickly. I don't need to keep track of sendmail alerts, just OpenBSD's.

So to the guy who started this post, let the MTA do what it was designed for and does best, transfer email. Invest in an enterprise virus solution like Norton, use Thunderbird for a client, and have the Windows workstations clean up its own crap. Why should your Mac and Unix users suffer. You might as well since you will still have to invest in something like Norton even if you do choose to implement virus and spam filtering on the MTA. If you do this, and one workstation goes down, it's hopefully only one workstation. But if your MTA gets rooted, it's your whole organization.

Visit your host, monkey.org