Re: For Alan Cox ...

From: Matti Aarnio (matti.aarnio@sonera.fi)
Date: Fri May 12 2000 - 05:56:07 EST


On Fri, May 12, 2000 at 10:55:07AM +0100, Malcolm Beattie wrote:
...
> OK, here's the low-down. I run ermine.ox.ac.uk and it, along with
> a number of the 20000 to 30000 other hosts in .ox.ac.uk use
> oxmail.ox.ac.uk, our mail hubs, as a smart host. If ORBS finds any one
> host in Oxford is an open relay then ORBS blacklists not only that
> host (rightly) but *also* its smarthost: oxmail.ox.ac.uk. Immediately,
> none of the 30000 users in Oxford can email anyone who uses ORBS.

        Yes. Quite painfull. We have more than that at our commercial
        customer sites, and they understood very easily when we told
        them that either they must run secure servers, or allow incoming
        SMTP only from our SMTP relay cluster.

        Now all new customers are installed with router ACLs implementing
        this rule, and they seem to be quite happy with it. We get very
        rarely anymore any sort of ORBS detection against our relays.

        For customers, and our helpdesks I wrote a small description about
        this problem, and possible solutions to it:

                http://www.zmailer.org/smtprelay.html

> The mail admin tells me the good news today that TPTB have
> now finally agreed to firewall off all SMTP to Oxford apart from the
> Oxmails and separately vetted named hosts. Given the number of hosts
> involved with hundreds of mostly autonomous departments and colleges,
> she's going to be spending even more time keeping all those
> registrations up to date and coping with the moans of plenty of other
> people who see firewalling off SMTP and not allowing them to run SMTP
> servers as fascist. Good luck to her.

        In my former academic life we told departments (and students)
        that they are welcome to relay thru our server, but only if
        their machines are relay-proof. They can, after all, send
        also directly to the world (and thus ORBS/RBL punishment
        hits only their machine).

        Students and staff didn't appear unhappy about the rule,
        although the rate of abuse was quite low back then...

        Possibly one of the reasons that our students were happy was
        that we had centralized DNS maintance so that everybody who
        got their PC/MAC network card MAC address registered to the
        campus LAN, got IP address, and then got also DNS registration
        with complete set of backup MX entries.

        It is/was also a site which had *all* named DNS objects
        equipped with MX data and WKS data! The latter is rarely
        used anywhere. We ran the main hub so that if the system
        didn't have SMTP in its WKS data, mail delivery attempt
        was aborted, and message got bounced. Helped a lot to
        avoid queueing things to routers, printers, and stupid
        DOS/windows PCs..

> --Malcolm
> --
> Malcolm Beattie <mbeattie@sable.ox.ac.uk>
> Unix Systems Programmer
> Oxford University Computing Services

/Matti Aarnio <matti.aarnio@sonera.fi>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:20 EST