On Wed, Jan 30, 2002 at 05:14:39PM +0000, Keith Matthews wrote:
> 1. Demon do not block access to clients sites in any way.
>
> 2. Demon allow any demon user to use their mail servers for outgoing
> mail (I do myself)
>
>
> Thus all it takes is some clueless admin at a client with an MX that
> points to them not Demon and there is an open relay situation.
>
> If you have any good ideas on how to prevent the situation I'm sure
> they would like to know.
>

Only allow authorized POP-3 users to use their mail relays. Make customers
with their own mail servers handle their own outbound mail.

Test all mail servers on their network for Open Relay. Make their
customers fix their Open Relays or block their outbound traffic until they
are fixed.

In short, be good, proactive network citizens.

I recently wrote some scripts to test a /19 belonging to a local ISP (at
their request) for Open Relays. It took less than a day to put together,
and runs in less than 10 minutes. They are now running it bi-weekly to
catch new Open Relays on their network.

Demon could do the same. I'm very surprised more ISP's don't actively scan
for Open Relays - catching them before they're abused is a hell of lot less
work than handling the complaints that result from abused relays, not to
mention it's just a good thing to do.

If one wanted to be very proactive, they would deny inbound port 25 to
their network, unless a customer registers a mail server with them. Then
test it for relay before opening it up to the world. And still test it
once in a while after that to make sure they haven't opened it up to relay,
accidentally or otherwise.

-- 
"If a nation expects to be ignorant and free, in a state of civilization,
it expects what never was and never will be." -- Thomas Jefferson
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]