Re: How I spent my Christmas vacation - Email found in subject
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 18:57:49 -0600
You da Man! :-))
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Tuesday, January 03, 2006 6:54 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation -
> Email found in subject
>
> http://www.ISAserver.org
>
> But of course :)
>
>
> Greg Mulholland
> Just because I don't care, doesn't mean i dont understand - Homer
> Simpson
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 11:40 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - Email found
> in subject
>
> http://www.ISAserver.org
>
> Hi Greg,
>
> Nice solution. The key is that the file is SCP'd to the mail
> server, and
> not the other way around.
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> > Sent: Tuesday, January 03, 2006 6:37 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: How I spent my Christmas vacation -
> Email found
>
> > in subject
> >
> > http://www.ISAserver.org
> >
> > Danny
> >
> > Why not do what I did instead of lookup ldap directories
> directly, to
> > counter that sort of dependency on another machine for
> mailflow (you
> > know, DC goes down, or some firewall issue prevents connection, and
> > all of a sudden we start rejecting mail etc. I didnt want that!)
> >
> > What I did was write a script that runs on a windows box
> internally,
> > that yoinks all smtp addresses out of the AD for given domain names
> > (like all krystaltek.com etc) and compiles a text file
> which is then
> > scp'ed to the postfix box. A cron job on the postfix box
> picks this
> > up and sticks it in the right place (/etc/postfix/valid_recips) and
> > postmaps it.
> >
> > If the scp'ed file is more than x minutes old, the cron job on the
> > postfix box complains to us via nagios. Likewise, if the file isnt
> > picked up by the cron job, the next time the windows script
> runs, it
> > complains (two processes checking each other is cheap and easy
> > redundancy.)
> >
> > If the whole thing goes to pot, at least the postfix box is just
> > running with an out of date copy of the list, rather than
> no list at
> > all :D
> >
> >
> > Greg Mulholland
> > Just because I don't care, doesn't mean i dont understand - Homer
> > Simpson
> >
> > -----Original Message-----
> > From: Danny [mailto:nocmonkey@xxxxxxxxx]
> > Sent: Wednesday, January 04, 2006 10:48 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: How I spent my Christmas vacation -
> Email found
>
> > in subject
> >
> > http://www.ISAserver.org
> >
> > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > > Hi Danny,
> > >
> > > We'll have to agree to disagree. As long as you allow
> LDAP traffic
> > > from an anonymous access DMZ to your DC, you're asking for
> > bad things
> > > to happen and people like me with ready and willing fingers
> > to point
> > > at you.
> >
> > If you or anyone else on this planet can compromise my
> hardened and up
>
> > to date OpenBSD SMTP mail gateway running Postfix jailed behind a
> > hardened ISA 2004 SP1 server with only SMTP traffic allowed
> from the
> > Internet, then I will switch to your platform of riddled
> with spoofed
> > NDR's, DNS clogging, DoS riddled, blacklisting potential, and
> > bandwidth wasting system.
> >
> > > My design is much more secure, hands-on.
> >
> > Secure to who? You did not answer my question about what
> threats you
> > are attempting to mitigate?
> >
> > > The NDR issue is a problem with
> > > my relay's platform. RFC or not ( and you haven't mentioned
> > which RFC
> > > you're referring to)
> >
> > SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
> >
> > > I'm using security best practices by isolating my low
> > security zone
> > > hosts from my highest security zone hosts.
> >
> > Sure, I agree with the DMZ config, but I simply add in the
> > on-demand/scheduled LDAP lookups. Solves your problems and follows
> > your "security best practices" as best as possible without limiting
> > functionality (provided reliable, efficient, and secure email
> > services).
> >
> > ...D
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > greg@xxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
>
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg@xxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
