On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > Hi Danny, > > We'll have to agree to disagree. As long as you allow LDAP traffic from > an anonymous access DMZ to your DC, you're asking for bad things to > happen and people like me with ready and willing fingers to point at > you. If you or anyone else on this planet can compromise my hardened and up to date OpenBSD SMTP mail gateway running Postfix jailed behind a hardened ISA 2004 SP1 server with only SMTP traffic allowed from the Internet, then I will switch to your platform of riddled with spoofed NDR's, DNS clogging, DoS riddled, blacklisting potential, and bandwidth wasting system. > My design is much more secure, hands-on. Secure to who? You did not answer my question about what threats you are attempting to mitigate? > The NDR issue is a problem with > my relay's platform. RFC or not ( and you haven't mentioned which RFC > you're referring to) SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html. > I'm using security best practices by isolating my > low security zone hosts from my highest security zone hosts. Sure, I agree with the DMZ config, but I simply add in the on-demand/scheduled LDAP lookups. Solves your problems and follows your "security best practices" as best as possible without limiting functionality (provided reliable, efficient, and secure email services). ...D