Re: How I spent my Christmas vacation - Email found in subject
- From: Danny <nocmonkey@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 18:47:30 -0500
On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> Hi Danny,
>
> We'll have to agree to disagree. As long as you allow LDAP traffic from
> an anonymous access DMZ to your DC, you're asking for bad things to
> happen and people like me with ready and willing fingers to point at
> you.
If you or anyone else on this planet can compromise my hardened and up
to date OpenBSD SMTP mail gateway running Postfix jailed behind a
hardened ISA 2004 SP1 server with only SMTP traffic allowed from the
Internet, then I will switch to your platform of riddled with spoofed
NDR's, DNS clogging, DoS riddled, blacklisting potential, and
bandwidth wasting system.
> My design is much more secure, hands-on.
Secure to who? You did not answer my question about what threats you
are attempting to mitigate?
> The NDR issue is a problem with
> my relay's platform. RFC or not ( and you haven't mentioned which RFC
> you're referring to)
SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
> I'm using security best practices by isolating my
> low security zone hosts from my highest security zone hosts.
Sure, I agree with the DMZ config, but I simply add in the
on-demand/scheduled LDAP lookups. Solves your problems and follows
your "security best practices" as best as possible without limiting
functionality (provided reliable, efficient, and secure email
services).
...D
Other related posts:
