Aha! You make several errors: There is now no DoS potential -- I win There are no spoofed NDRs -- I win again. There are now no DNS issue -- I win three times. There is NO potential for blacklist -- Four times a record. The principle I'm using is least privilege, which trumps all other recommendations or guidance. I like debating with you more than Thor, I only win about 50% of the time with him :) HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Danny [mailto:nocmonkey@xxxxxxxxx] > Sent: Tuesday, January 03, 2006 5:48 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found in subject > > http://www.ISAserver.org > > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > Hi Danny, > > > > We'll have to agree to disagree. As long as you allow LDAP > traffic from > > an anonymous access DMZ to your DC, you're asking for bad things to > > happen and people like me with ready and willing fingers to point at > > you. > > If you or anyone else on this planet can compromise my hardened and up > to date OpenBSD SMTP mail gateway running Postfix jailed behind a > hardened ISA 2004 SP1 server with only SMTP traffic allowed from the > Internet, then I will switch to your platform of riddled with spoofed > NDR's, DNS clogging, DoS riddled, blacklisting potential, and > bandwidth wasting system. > > > My design is much more secure, hands-on. > > Secure to who? You did not answer my question about what threats you > are attempting to mitigate? > > > The NDR issue is a problem with > > my relay's platform. RFC or not ( and you haven't mentioned > which RFC > > you're referring to) > > SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html. > > > I'm using security best practices by isolating my > > low security zone hosts from my highest security zone hosts. > > Sure, I agree with the DMZ config, but I simply add in the > on-demand/scheduled LDAP lookups. Solves your problems and follows > your "security best practices" as best as possible without limiting > functionality (provided reliable, efficient, and secure email > services). > > ...D > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >