Re: How I spent my Christmas vacation - Email found in subject
- From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 4 Jan 2006 11:37:08 +1100
Danny
Why not do what I did instead of lookup ldap directories directly, to
counter that sort of dependency on another machine for mailflow (you
know, DC goes down, or some firewall issue prevents connection, and all
of a sudden we start rejecting mail etc. I didnt want that!)
What I did was write a script that runs on a windows box internally,
that yoinks all smtp addresses out of the AD for given domain names
(like all krystaltek.com etc) and compiles a text file which is then
scp'ed to the postfix box. A cron job on the postfix box picks this up
and sticks it in the right place (/etc/postfix/valid_recips) and
postmaps it.
If the scp'ed file is more than x minutes old, the cron job on the
postfix box complains to us via nagios. Likewise, if the file isnt
picked up by the cron job, the next time the windows script runs, it
complains (two processes checking each other is cheap and easy
redundancy.)
If the whole thing goes to pot, at least the postfix box is just running
with an out of date copy of the list, rather than no list at all :D
Greg Mulholland
Just because I don't care, doesn't mean i dont understand - Homer
Simpson
-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx]
Sent: Wednesday, January 04, 2006 10:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How I spent my Christmas vacation - Email found
in subject
http://www.ISAserver.org
On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> Hi Danny,
>
> We'll have to agree to disagree. As long as you allow LDAP traffic
> from an anonymous access DMZ to your DC, you're asking for bad things
> to happen and people like me with ready and willing fingers to point
> at you.
If you or anyone else on this planet can compromise my hardened and up
to date OpenBSD SMTP mail gateway running Postfix jailed behind a
hardened ISA 2004 SP1 server with only SMTP traffic allowed from the
Internet, then I will switch to your platform of riddled with spoofed
NDR's, DNS clogging, DoS riddled, blacklisting potential, and bandwidth
wasting system.
> My design is much more secure, hands-on.
Secure to who? You did not answer my question about what threats you are
attempting to mitigate?
> The NDR issue is a problem with
> my relay's platform. RFC or not ( and you haven't mentioned which RFC
> you're referring to)
SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
> I'm using security best practices by isolating my low security zone
> hosts from my highest security zone hosts.
Sure, I agree with the DMZ config, but I simply add in the
on-demand/scheduled LDAP lookups. Solves your problems and follows your
"security best practices" as best as possible without limiting
functionality (provided reliable, efficient, and secure email services).
...D
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
