On Fri, Feb 13, 2015 at 12:45 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >>> >> In this case the secondary MX has the same RBL's etc etc as the primary. >> I do see the spammers sending their junk to the secondary more than the >> primary MX. Agree the secondary does not know the difference between >> valid and invalid addresses. > > What software the secondary MX is based on in whose case you say secondary > MX doesn't know legitimate addresses of primary MX? > > I know about postfix. And all my servers are based on postfix. And even in > the most trivial configuration of secondary MX based on postfix secondary > MX _does_ have to have all legitimate addressed of primary MX. These are > in relay_recipients table. Any address that is not in that table, will not > be accepted by secondary MX. Postfix even in the most trivial > configuration is sane and does not "accept everything". > > So, what is the secondary MX server that you are describing that "accepts > everything" is based on?I think he means that the secondary does not know the user names on the primary. Which it won't, unless someone maintains it, regardless of the server software. -- Les Mikesell lesmikesell at gmail.com
On Fri, February 13, 2015 12:52 pm, Les Mikesell wrote:> On Fri, Feb 13, 2015 at 12:45 PM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>>> >>> In this case the secondary MX has the same RBL's etc etc as the >>> primary. >>> I do see the spammers sending their junk to the secondary more than the >>> primary MX. Agree the secondary does not know the difference between >>> valid and invalid addresses. >> >> What software the secondary MX is based on in whose case you say >> secondary >> MX doesn't know legitimate addresses of primary MX? >> >> I know about postfix. And all my servers are based on postfix. And even >> in >> the most trivial configuration of secondary MX based on postfix >> secondary >> MX _does_ have to have all legitimate addressed of primary MX. These are >> in relay_recipients table. Any address that is not in that table, will >> not >> be accepted by secondary MX. Postfix even in the most trivial >> configuration is sane and does not "accept everything". >> >> So, what is the secondary MX server that you are describing that >> "accepts >> everything" is based on? > > I think he means that the secondary does not know the user names on > the primary. Which it won't, unless someone maintains it, regardless > of the server software. >Did you ever set up backup MX based on postfix? Sounds like not, as in case of postfix you have to maintain that table on backup MX, or it will not accept anything destined to primary MX. It is only now that I read the thread subject... which is about sendmail. So, I guess my comments about postfix are not relevant or not quite relevant to this thread. I started replacing venerable sendmail almost two decades back with postfix which was written with security in mind from the very beginning by brilliant person: Vietse Venema. I still like human readable configuration files of postfix and got really used to all logic of it. So even though sendmail I heard is not a security disaster for long time already I'm quite happy with postfix. At some point even RedHat switched to postfix as default MX software on their system (not long ago though...). I guess, backup MX example makes me even happier: postfix really prevents you from doing wrong thing (making your backup MX a source of backscatter). Just my $0.02 Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, Feb 13, 2015 at 1:11 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > So even though sendmail I heard is not a security disaster for long > time already I'm quite happy with postfix.Sendmail was pretty much all fixed by the time postfix was released, and made even better with the addition of the milter interface that lets you run scanning, etc. processes under different uids but able to participate in the smtp conversation. Postfix eventually got around to copying that too.> At some point even RedHat > switched to postfix as default MX software on their system (not long ago > though...).Just another change for change's sake as far as I'm concerned. Sendmail continues to work just fine and the configs as shipped rarely take more than a few lines of change in the m4 file to do normal operations.> I guess, backup MX example makes me even happier: postfix > really prevents you from doing wrong thing (making your backup MX a source > of backscatter).It's not postfix doing that, it is you, doing whatever has to be done to keep your lists in sync. Still, I don't see the point of even having a secondary MX. The days are long gone when chunks of the internet can't reach each other for long periods of time and anything sending should do its own queuing and retries. In fact if you do greylisting, you have forced all of your senders to prove it. -- Les Mikesell lesmikesell at gmail.com