Am 04.03.2015 um 21:03 schrieb Dave McGuire:> On 03/04/2015 02:12 PM, Michael Orlitzky wrote: >>> I would like to reiterate Reindl Harald's point above, since subsequent >>> discussion has gotten away from it. If Dovecot had DNS RBL support >>> similar to Postfix, I think quite a few people would use it, and thereby >>> defeat the scanners far more effectively than any other method. It is >>> good that other people are suggesting things that will work today, but >>> in terms of what new feature would be the best solution, I can't think >>> of one better than a DNS RBL. >> >> Please add this support to iptables instead of Dovecot. It's a waste of >> effort to code it into every application that listens on the network. > > <head explodes> > > Would you care to integrate it into IOS on my Cisco as well? > > There are things connected to the Internet that aren't PCs running > Linux, you know. It may be hard to accept, but that's the way it is. >I assume your dovecot runs on some kind of *nix so there should be some sort of netfilter available which you can put in front of your listening ports. It might be also an option to create some kind of "hooks" in dovecot that can be used to connect to a DNSBL checker - so configuration can happen outside of dovecot. Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150304/30d8cefc/attachment.p7s>
On 03/04/2015 03:37 PM, Oliver Welter wrote:>>>> I would like to reiterate Reindl Harald's point above, since subsequent >>>> discussion has gotten away from it. If Dovecot had DNS RBL support >>>> similar to Postfix, I think quite a few people would use it, and >>>> thereby >>>> defeat the scanners far more effectively than any other method. It is >>>> good that other people are suggesting things that will work today, but >>>> in terms of what new feature would be the best solution, I can't think >>>> of one better than a DNS RBL. >>> >>> Please add this support to iptables instead of Dovecot. It's a waste of >>> effort to code it into every application that listens on the network. >> >> <head explodes> >> >> Would you care to integrate it into IOS on my Cisco as well? >> >> There are things connected to the Internet that aren't PCs running >> Linux, you know. It may be hard to accept, but that's the way it is. >> > I assume your dovecot runs on some kind of *nixOf course. I run it under Solaris.> so there should be some > sort of netfilter available which you can put in front of your listening > ports.There is. But I already have a firewall, running on bulletproof hardware that doesn't depend on spinning disks. I don't want to add ANOTHER firewall when I already have a perfectly good one. Besides, my mail server is built for...serving mail. Not being a firewall. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
Am 04.03.2015 um 21:45 schrieb Dave McGuire:> On 03/04/2015 03:37 PM, Oliver Welter wrote: >>>>> I would like to reiterate Reindl Harald's point above, since subsequent >>>>> discussion has gotten away from it. If Dovecot had DNS RBL support >>>>> similar to Postfix, I think quite a few people would use it, and >>>>> thereby >>>>> defeat the scanners far more effectively than any other method. It is >>>>> good that other people are suggesting things that will work today, but >>>>> in terms of what new feature would be the best solution, I can't think >>>>> of one better than a DNS RBL. >>>> >>>> Please add this support to iptables instead of Dovecot. It's a waste of >>>> effort to code it into every application that listens on the network. >>> >>> <head explodes> >>> >>> Would you care to integrate it into IOS on my Cisco as well? >>> >>> There are things connected to the Internet that aren't PCs running >>> Linux, you know. It may be hard to accept, but that's the way it is. >>> >> I assume your dovecot runs on some kind of *nix > > Of course. I run it under Solaris. > >> so there should be some >> sort of netfilter available which you can put in front of your listening >> ports. > > There is. But I already have a firewall, running on bulletproof > hardware that doesn't depend on spinning disks. I don't want to add > ANOTHER firewall when I already have a perfectly good one. Besides, my > mail server is built for...serving mail. Not being a firewall. >Well, from an academic point of view, a network service that denies connection on the ip layer is also an ip firewall. Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150304/69ad03d2/attachment-0001.p7s>
On 3/4/2015 12:45 PM, Dave McGuire wrote:> There is. But I already have a firewall, running on bulletproof > hardware that doesn't depend on spinning disks. I don't want to add > ANOTHER firewall when I already have a perfectly good one. Besides, my > mail server is built for...serving mail. Not being a firewall.You can implement whatever type of security you are comfortable with, however, best practices is to have layered security, also known as the "belt and suspenders" method of keeping your pants up. A perimeter firewall and local firewalls (iptables usually) on each machine is the minimum level of security I set up. A perimeter firewall alone does not protect you from an attacker who is able to compromise one machine and install a scanner which then scan all the systems on your internal network looking for exploitable weaknesses. All the while the perimeter firewall is oblivious to the attack going on internally and utterly incapable of mitigating it even if it were aware. Dem
On 03/04/2015 09:45 PM, Dave McGuire wrote:> On 03/04/2015 03:37 PM, Oliver Welter wrote: >> Am 04.03.2015 um 21:03 schrieb Dave McGuire: >>> Am 04.03.2015 um 20:12 schrieb Michael Orlitzky: >>>> Please add [DNSBL] support to iptables instead of Dovecot. It's a waste of >>>> effort to code it into every application that listens on the network.(FWIW, I agree that DNSBL hooks have no business being in kernel space. A standard *userland* DNSBL client communicating with iptables and similar by means of libnetfilter_queue would sound quite promising, however ...)>>> Would you care to integrate it into IOS on my Cisco as well?[...]>> so there should be some >> sort of netfilter available which you can put in front of your listening >> ports. > > There is. But I already have a firewall, running on bulletproof > hardware that doesn't depend on spinning disks. I don't want to add > ANOTHER firewall when I already have a perfectly good one. Besides, my > mail server is built for...serving mail. Not being a firewall.You're contradicting yourself here. If it's "a perfectly good" firewall, why would you care whether an additional feature (might or) might not get added to it? And if you don't trust those disks to keep spinning, why do you allow them to hold your e-mail? For what it's worth, the host firewall functionality *already is* in the kernel, and kernel memory gets locked into RAM. Apart from bootup and local logging, firewalling may well just keep running after the HDD died in mid-operation (yes, I've seen (iptables-based) firewalls do that; the customers typically complain that the webUI or CLI turned unresponsive). Good luck getting the co-located dovecot to live up to that level of resilience. :-} Regards, J. Bern -- *NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Gesch?ftsf?hrer Metin Dogan, Oliver Michel