Re: How I spent my Christmas vacation - Email found in subject

But of course :) 


Greg Mulholland
Just because I don't care, doesn't mean i dont understand - Homer
Simpson

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, January 04, 2006 11:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How I spent my Christmas vacation - Email found
in subject

http://www.ISAserver.org

Hi Greg,

Nice solution. The key is that the file is SCP'd to the mail server, and
not the other way around.

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Tuesday, January 03, 2006 6:37 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - Email found

> in subject
> 
> http://www.ISAserver.org
> 
> Danny
> 
> Why not do what I did instead of lookup ldap directories directly, to 
> counter that sort of dependency on another machine for mailflow (you 
> know, DC goes down, or some firewall issue prevents connection, and 
> all of a sudden we start rejecting mail etc.  I didnt want that!)
>  
> What I did was write a script that runs on a windows box internally, 
> that yoinks all smtp addresses out of the AD for given domain names 
> (like all krystaltek.com etc) and compiles a text file which is then 
> scp'ed to the postfix box.  A cron job on the postfix box picks this 
> up and sticks it in the right place (/etc/postfix/valid_recips) and 
> postmaps it.
>  
> If the scp'ed file is more than x minutes old, the cron job on the 
> postfix box complains to us via nagios.  Likewise, if the file isnt 
> picked up by the cron job, the next time the windows script runs, it 
> complains (two processes checking each other is cheap and easy
> redundancy.)
>  
> If the whole thing goes to pot, at least the postfix box is just 
> running with an out of date copy of the list, rather than no list at 
> all :D
> 
> 
> Greg Mulholland
> Just because I don't care, doesn't mean i dont understand - Homer 
> Simpson
> 
> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx]
> Sent: Wednesday, January 04, 2006 10:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - Email found

> in subject
> 
> http://www.ISAserver.org
> 
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > Hi Danny,
> >
> > We'll have to agree to disagree. As long as you allow LDAP traffic 
> > from an anonymous access DMZ to your DC, you're asking for
> bad things
> > to happen and people like me with ready and willing fingers
> to point
> > at you.
> 
> If you or anyone else on this planet can compromise my hardened and up

> to date OpenBSD SMTP mail gateway running Postfix jailed behind a 
> hardened ISA 2004 SP1 server with only SMTP traffic allowed from the 
> Internet, then I will switch to your platform of riddled with spoofed 
> NDR's, DNS clogging, DoS riddled, blacklisting potential, and 
> bandwidth wasting system.
> 
> > My design is much more secure, hands-on.
> 
> Secure to who? You did not answer my question about what threats you 
> are attempting to mitigate?
> 
> > The NDR issue is a problem with
> > my relay's platform. RFC or not ( and you haven't mentioned
> which RFC
> > you're referring to)
> 
> SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
> 
> >  I'm using security best practices by isolating my low
> security zone
> > hosts from my highest security zone hosts.
> 
> Sure, I agree with the DMZ config, but I simply add in the 
> on-demand/scheduled LDAP lookups.  Solves your problems and follows 
> your "security best practices" as best as possible without limiting 
> functionality (provided reliable, efficient, and secure email 
> services).
> 
> ...D
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg@xxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: