You da Man! :-)) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Tuesday, January 03, 2006 6:54 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found in subject > > http://www.ISAserver.org > > But of course :) > > > Greg Mulholland > Just because I don't care, doesn't mean i dont understand - Homer > Simpson > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, January 04, 2006 11:40 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - Email found > in subject > > http://www.ISAserver.org > > Hi Greg, > > Nice solution. The key is that the file is SCP'd to the mail > server, and > not the other way around. > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > > Sent: Tuesday, January 03, 2006 6:37 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found > > > in subject > > > > http://www.ISAserver.org > > > > Danny > > > > Why not do what I did instead of lookup ldap directories > directly, to > > counter that sort of dependency on another machine for > mailflow (you > > know, DC goes down, or some firewall issue prevents connection, and > > all of a sudden we start rejecting mail etc. I didnt want that!) > > > > What I did was write a script that runs on a windows box > internally, > > that yoinks all smtp addresses out of the AD for given domain names > > (like all krystaltek.com etc) and compiles a text file > which is then > > scp'ed to the postfix box. A cron job on the postfix box > picks this > > up and sticks it in the right place (/etc/postfix/valid_recips) and > > postmaps it. > > > > If the scp'ed file is more than x minutes old, the cron job on the > > postfix box complains to us via nagios. Likewise, if the file isnt > > picked up by the cron job, the next time the windows script > runs, it > > complains (two processes checking each other is cheap and easy > > redundancy.) > > > > If the whole thing goes to pot, at least the postfix box is just > > running with an out of date copy of the list, rather than > no list at > > all :D > > > > > > Greg Mulholland > > Just because I don't care, doesn't mean i dont understand - Homer > > Simpson > > > > -----Original Message----- > > From: Danny [mailto:nocmonkey@xxxxxxxxx] > > Sent: Wednesday, January 04, 2006 10:48 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found > > > in subject > > > > http://www.ISAserver.org > > > > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > > Hi Danny, > > > > > > We'll have to agree to disagree. As long as you allow > LDAP traffic > > > from an anonymous access DMZ to your DC, you're asking for > > bad things > > > to happen and people like me with ready and willing fingers > > to point > > > at you. > > > > If you or anyone else on this planet can compromise my > hardened and up > > > to date OpenBSD SMTP mail gateway running Postfix jailed behind a > > hardened ISA 2004 SP1 server with only SMTP traffic allowed > from the > > Internet, then I will switch to your platform of riddled > with spoofed > > NDR's, DNS clogging, DoS riddled, blacklisting potential, and > > bandwidth wasting system. > > > > > My design is much more secure, hands-on. > > > > Secure to who? You did not answer my question about what > threats you > > are attempting to mitigate? > > > > > The NDR issue is a problem with > > > my relay's platform. RFC or not ( and you haven't mentioned > > which RFC > > > you're referring to) > > > > SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html. > > > > > I'm using security best practices by isolating my low > > security zone > > > hosts from my highest security zone hosts. > > > > Sure, I agree with the DMZ config, but I simply add in the > > on-demand/scheduled LDAP lookups. Solves your problems and follows > > your "security best practices" as best as possible without limiting > > functionality (provided reliable, efficient, and secure email > > services). > > > > ...D > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > greg@xxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > greg@xxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >