Re: How I spent my Christmas vacation - Email found in subject
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Jan 2006 17:57:26 -0600
Aha!
You make several errors:
There is now no DoS potential -- I win
There are no spoofed NDRs -- I win again.
There are now no DNS issue -- I win three times.
There is NO potential for blacklist -- Four times a record.
The principle I'm using is least privilege, which trumps all other
recommendations or guidance.
I like debating with you more than Thor, I only win about 50% of the
time with him :)
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx]
> Sent: Tuesday, January 03, 2006 5:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation -
> Email found in subject
>
> http://www.ISAserver.org
>
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > Hi Danny,
> >
> > We'll have to agree to disagree. As long as you allow LDAP
> traffic from
> > an anonymous access DMZ to your DC, you're asking for bad things to
> > happen and people like me with ready and willing fingers to point at
> > you.
>
> If you or anyone else on this planet can compromise my hardened and up
> to date OpenBSD SMTP mail gateway running Postfix jailed behind a
> hardened ISA 2004 SP1 server with only SMTP traffic allowed from the
> Internet, then I will switch to your platform of riddled with spoofed
> NDR's, DNS clogging, DoS riddled, blacklisting potential, and
> bandwidth wasting system.
>
> > My design is much more secure, hands-on.
>
> Secure to who? You did not answer my question about what threats you
> are attempting to mitigate?
>
> > The NDR issue is a problem with
> > my relay's platform. RFC or not ( and you haven't mentioned
> which RFC
> > you're referring to)
>
> SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html.
>
> > I'm using security best practices by isolating my
> > low security zone hosts from my highest security zone hosts.
>
> Sure, I agree with the DMZ config, but I simply add in the
> on-demand/scheduled LDAP lookups. Solves your problems and follows
> your "security best practices" as best as possible without limiting
> functionality (provided reliable, efficient, and secure email
> services).
>
> ...D
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
