Re: Source address validation (was Re: UUNet Offer New Protection

[Gregory Hicks <ghicks () cadence com>]

> From: Paul Vixie <vixie () vix com>
> Date: 08 Mar 2004 06:35:16 +0000
>
>
> ken () kdmd net (Ken Diliberto) writes:
[...snip...]
> > We're now blocking all SMTP traffic leaving the campus from non-blessed
> > sources (read mail servers).  The first day doing this we had comments
> > about less junk mail traffic.  We block traffic we consider harmful that
> > shouldn't leave the campus.  We're trying to do our part.
> >
> > Any suggestions how we can do better?
>
> yes.  contact the nanog program committee so you can come to san francisco
> and tell the rest of us how you did it -- both in the ones and zeros, and
> in the dollars and cents.

Paul:

This is MY take and not Ken's...

Firewall:  block port 25 from all internal hosts except those
'recognized' as mail servers.

For a user or department to get a mail server set up and 'recognized',
they probably have to go through some sort of "qualification" and
scanning process to ensure that the mail host is configured
correctly...

Going to San Francisco is still a good idea though.

Regards,
Gregory Hicks

> -- 
> Paul Vixie

---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
Cadence Design Systems                  | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1             | Fax:      408.894.3479
San Jose, CA 95134                      | Internet: ghicks () cadence com

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton