Re: How I spent my Christmas vacation - Email found in subject
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 18:39:36 -0600
Hi Greg,
Nice solution. The key is that the file is SCP'd to the mail server, and
not the other way around.
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Tuesday, January 03, 2006 6:37 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation -
> Email found in subject
>
> http://www.ISAserver.org
>
> Danny
>
> Why not do what I did instead of lookup ldap directories directly, to
> counter that sort of dependency on another machine for mailflow (you
> know, DC goes down, or some firewall issue prevents
> connection, and all
> of a sudden we start rejecting mail etc. I didnt want that!)
>
> What I did was write a script that runs on a windows box internally,
> that yoinks all smtp addresses out of the AD for given domain names
> (like all krystaltek.com etc) and compiles a text file which is then
> scp'ed to the postfix box. A cron job on the postfix box
> picks this up
> and sticks it in the right place (/etc/postfix/valid_recips) and
> postmaps it.
>
> If the scp'ed file is more than x minutes old, the cron job on the
> postfix box complains to us via nagios. Likewise, if the file isnt
> picked up by the cron job, the next time the windows script runs, it
> complains (two processes checking each other is cheap and easy
> redundancy.)
>
> If the whole thing goes to pot, at least the postfix box is
> just running
> with an out of date copy of the list, rather than no list at all :D
>
>
> Greg Mulholland
> Just because I don't care, doesn't mean i dont understand - Homer
> Simpson
>
> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx]
> Sent: Wednesday, January 04, 2006 10:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - Email found
> in subject
>
> http://www.ISAserver.org
>
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > Hi Danny,
> >
> > We'll have to agree to disagree. As long as you allow LDAP traffic
> > from an anonymous access DMZ to your DC, you're asking for
> bad things
> > to happen and people like me with ready and willing fingers
> to point
> > at you.
>
> If you or anyone else on this planet can compromise my hardened and up
> to date OpenBSD SMTP mail gateway running Postfix jailed behind a
> hardened ISA 2004 SP1 server with only SMTP traffic allowed from the
> Internet, then I will switch to your platform of riddled with spoofed
> NDR's, DNS clogging, DoS riddled, blacklisting potential, and
> bandwidth
> wasting system.
>
> > My design is much more secure, hands-on.
>
> Secure to who? You did not answer my question about what
> threats you are
> attempting to mitigate?
>
> > The NDR issue is a problem with
> > my relay's platform. RFC or not ( and you haven't mentioned
> which RFC
> > you're referring to)
>
> SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
>
> > I'm using security best practices by isolating my low
> security zone
> > hosts from my highest security zone hosts.
>
> Sure, I agree with the DMZ config, but I simply add in the
> on-demand/scheduled LDAP lookups. Solves your problems and
> follows your
> "security best practices" as best as possible without limiting
> functionality (provided reliable, efficient, and secure email
> services).
>
> ...D
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg@xxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
