2.2.15: SMTP submission server?

[Reindl Harald]

Am 17.11.2014 um 08:23 schrieb Ron Leach:
> On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered):
>> Am 16.11.2014 um 02:24 schrieb Reindl Harald:
>>
>>> * if you find a security issue in postfix running
>>>    on 587 over TLS cry out loud
>
> I'm thinking beyond that; I want to get to the position that when there
> is an issue in the MTA, our systems are less exposed than they might
> otherwise be.  It's not about the MTA.

and why do you then want the MTA inside dovecot?

if there is an issue in postfix, well, that's it and not more because by 
using dovecots SASL provider it has even no access to the user database 
at all

>>> that's it and if you think that combination is not secure enough pull
>>> the network cables
>>>
> That's pretty much what we have at the moment, but we need to be able to
> submit from offsite, and I'm keen to implement that together with our
> migration to 2.2.  Of course offsite submission is easy, but in our
> experience that is also vulnerable.

what expierience?

> Let me list the approach we'd prefer:
>
> (i) MTA open on port 25 for inbound email.
>
> (ii) MTA not open on any other port, because (for example, our) MTAs are
> constantly faced on port 25 with password attacks, malformed packets,
> malformed messages that contain scripts, and malformed protocol
> sequences; all these show up in the logs.

so what

> In the past, at least one of
> those succeeded.  We have a saying: 'once bitten, twice shy'.  So, now I
> would prefer that any MTA we use (that is capable of outbound messaging)
> be *not* capable of relaying from any inbound SMTP protocol.  (Because
> inbound SMTP is the focus of so much attack

jesus christ than disable sasl on port 25 and you are done

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141117/7fae0fdc/attachment.sig>