Re: SMTP Firewall

["Paul D. Robertson" <proberts () clark net>]

On Thu, 9 Sep 1999, Joseph S D Yao wrote:

> Might be better to run a simpler e-mail proxy.  But the reference to

A simpler e-mail normally proxy doesn't offer the ability to do complex 
protection things.  It's a lot easier to do filtering, validation and 
even tunnel detection/prevention on a full to semi-full mail system than 
it is to do it on a simple proxy that's not offering much more than 
plug-gw.  

SMAP is an example of this.  Look how long it took TIS/NAI to do 
anti-relay protection suitably in it.  It's simple, but there's some 
benifit to having more complexity, balanced of course with viability and 
verifyability.  You couldn't do dynamic anti-relay stuff for literally 
months.

IOW, it's pretty easy to write a simple proxy, it's harder to offer more 
than minimal protection for a complex protocol with a simple proxy.  When 
it comes to mail, if you follow the tennents that mail should *never* 
*ever* be lost, it's even more difficult to write something that checks 
for obscure system problems that would cause a file to be dumped at 
system failure.  

> inetd.conf is that he will edit out [rather than comment out] all OTHER
> network protocols served by 'inetd'.
>
> Perhaps better not even to run 'inetd'.

Depends on the mail system.  I'd trust postfix or qmail/tcpserver to handle 
themselves well under both load and duress, other things I'd look for one of 
the modified inetds.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280