nanog mailing list archives

RE: ORBS (Re: Scanning)

From: Roeland Meyer <rmeyer () mhsc com>
Date: Sun, 27 May 2001 10:24:57 -0700


So, you aren't happy when I build a poisoned cake for spammers, you want me
to use your specific recipe... even if mine works (better?). Tell me how a
MAPS-blocked system can relay spam.

Yes, I'll concede that your approach may work, albeit at higher HW cost than
my approach.

BTW, the MHSC answer to our ORBS listing last year is to drop sendmail and
build an MS-Exchange server so that we can authenticate with Win2K Domain
logins. But, that's very expensive and doesn't scale well. We also support
both PPTP and SSH VPN tunnels. There are obvious problems with both, as I've
discovered in practice.

1. Seat license costs with Exchange (scaling issues). 
2. Unless very carefully run, Exchange has serious security issues.
3. Exchange is good groupware for corps and way too much for normal users.
4. Many firewalls block any and all tunneling technology.
5. POP-based solutions demand widespread deployment of POPs. If a user is
out of POP range, they have to make LD calls. Plus there is an incremental
HW cost per POP. If one has a largish number of POPs this is significant
addition to the out-of-range LD charges that one still incurrs.

From: E.B. Dreger [mailto:eddy () noc everquick net]
Sent: Sunday, May 27, 2001 9:54 AM

Date: Sun, 27 May 2001 09:11:39 -0700
From: Roeland Meyer <rmeyer () mhsc com>


[ snip ]

I don't buy the "we need open relay for nationwide users" argument,
either.  Build a cheap MX that does nothing but take mail

from a given
            
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

POP, and send it to the world.  Anti-spoofing at the border,

   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

don't accept mail from the outside world, and you're done.

You must not have a roaming staff or are willing to keep

telcos wealthy.

Or I might know a better way.

Again, put a simple MX at each POP.  Want a constant IP 
address for the
SMTP server?  Each POP's border router redirects the SMTP server's IP
address to the local machine, which only allows inbound SMTP from the
local POPs.

Nothing new here.

And then there are VPNs for roaming staff...

Current thread:

Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)), (continued)
- - - Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Mitch Halmu (May 29)
    - Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) John Fraizer (May 29)
    - RE: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Vivien M. (May 29)
    - Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Mitch Halmu (May 30)
    - Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) J.D. Falk (May 30)
    - RE: ORBS (Re: Scanning) Derek Balling (May 27)
    - RE: ORBS (Re: Scanning) Mitch Halmu (May 28)
    - Re: ORBS (Re: Scanning) mike (May 29)
    - RE: ORBS (Re: Scanning) John Fraizer (May 27)
    - Re: ORBS (Re: Scanning) Steve Sobol (May 28)
- RE: ORBS (Re: Scanning) Roeland Meyer (May 27)
  - RE: ORBS (Re: Scanning) E.B. Dreger (May 27)
- RE: ORBS (Re: Scanning) Roeland Meyer (May 27)
  - RE: ORBS (Re: Scanning) Derek Balling (May 27)
  - RE: ORBS (Re: Scanning) Patrick W. Gilmore (May 27)
- RE: ORBS (Re: Scanning) Roeland Meyer (May 27)
  - RE: ORBS (Re: Scanning) Derek Balling (May 27)
    - Re: ORBS (Re: Scanning) Steve Sobol (May 27)
    - Re: ORBS (Re: Scanning) E.B. Dreger (May 27)
- RE: ORBS (Re: Scanning) Roeland Meyer (May 27)
  - RE: ORBS (Re: Scanning) Patrick W. Gilmore (May 27)

(Thread continues...)