[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mail Server Architecture
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Mail Server Architecture
- From: Smith <smith_(_at_)_confuciun_(_dot_)_com>
- Date: Wed, 11 May 2005 01:20:00 -0700
This is a very dangerous approach to take, relying solely on theDangerous is a fact of life, dealing with Windows workstations. I'd
rather deal with a client mishandling a malicious message than have my
MTA rooted because I didn't apply the latest patch to clamav or
spamassasin or having any of these 3rd party software crash the MTA
because of a bug. Theoretically, I believe it would be better to have
the MTA filter spam and viruses, but I don't trust 3rd party software, I
trust OpenBSD software.
final mail reader's client to correctly handle malicious messages.
Security exposure aside, if your architecture can reject and drop
the most common "empty" virus (worm, etc) email messages as
they arrive at your edge-facing MTA, you reduce the disk storage and
other resources wasted in storing a huge volume of garbage messages.
That's where OpenBSD's spamd / greylisting comes in.
It's a heck of a lot easier to scale-up your MX pool than it is toIf you're dealing with Windows, it's foolish NOT to have client-side
virus protection. Thus, upgrading the desktop clients is a fact of life
in a Microsoft environment. Check out this scenario: a user, with java
installed, goes to a website and boom, Norton pops up saying it
quaranteened a trojan; you can't live with out workstation virus
protection. My original post gave other examples for the client.
upgrade the mail spool and desktop clients with more disk and CPU.
Bayesian spam filtering is pretty much the only exception,
it needs to be individualized. All other AV/Antispam (in a
corporate environment) is most effective when centralized.
I agree in theory, as mentioned above.
With Norton setup in a server/client configuration, you have the ability
to disable client manipulation.
1. Workstations often have Norton disabled, through user ignorance,
carelessness or automatically by malware. This opens a channel
for viruses sent by known and (foolishly) trusted corespondents.
I like Clamwin (based on ClamAV), but it does not provide on-access
scanning like Norton. On-access scanning is what caught that java
trojan I mentioned above. Norton's response time isn't bad enough for
me to look for an alternative.
2. Open source virus tools like ClamAV use an independent database
that is often updated sooner than Norton et.al. and is often
And I'm not just saying "use something other than sendmail on theI've been playing with OpenBSD for around 5 years. I vaguelly recall
only one security alert for sendmail in all that time (I could be wrong
on this). I also vaguelly recall postfix having a couple of security
alerts within the last couple of weeks (I could be wrong on this). And
Exim.... I'm more scared of a 0day exploits on those 3rd party products
than OpenBSD's sendmail. Plus you miss a subtle point I was trying to
get across. As an network administrator, I don't want to have to keep
track of security alerts of all these 3rd party products I use. It's
time consuming. I'd rather keep just track of just OpenBSD security
alerts. If sendmail has a security alert and OpenBSD is vulnerable,
OpenBSD will let me know pretty quickly. I don't need to keep track of
sendmail alerts, just OpenBSD's.
outermost edge" because I am all too aware of the long history of
remotely exploitable sendmail vulnerabilities, but also because if
you are going to "chain" transports for security, you gain the most
by using different MTAs for the "outside" and the "inside". Otherwise
a script kiddie bearing a "0day sendmail on openBSD on intel" sploit
who compromises your internet-facing ("RELAY" in the diagram)
server won't delay long in using the firewall-evading tunnel to use the
same tool to take over the internal ("LOCAL_DELIVERY") host.
So to the guy who started this post, let the MTA do what it was designed
for and does best, transfer email. Invest in an enterprise virus
solution like Norton, use Thunderbird for a client, and have the Windows
workstations clean up its own crap. Why should your Mac and Unix users
suffer. You might as well since you will still have to invest in
something like Norton even if you do choose to implement virus and spam
filtering on the MTA. If you do this, and one workstation goes down,
it's hopefully only one workstation. But if your MTA gets rooted, it's
your whole organization.