On Fri, May 12, 2000 at 10:55:07AM +0100, Malcolm Beattie wrote:
...
> OK, here's the low-down. I run ermine.ox.ac.uk and it, along with
> a number of the 20000 to 30000 other hosts in .ox.ac.uk use
> oxmail.ox.ac.uk, our mail hubs, as a smart host. If ORBS finds any one
> host in Oxford is an open relay then ORBS blacklists not only that
> host (rightly) but *also* its smarthost: oxmail.ox.ac.uk. Immediately,
> none of the 30000 users in Oxford can email anyone who uses ORBS.
Yes. Quite painfull. We have more than that at our commercial
customer sites, and they understood very easily when we told
them that either they must run secure servers, or allow incoming
SMTP only from our SMTP relay cluster.
Now all new customers are installed with router ACLs implementing
this rule, and they seem to be quite happy with it. We get very
rarely anymore any sort of ORBS detection against our relays.
For customers, and our helpdesks I wrote a small description about
this problem, and possible solutions to it:
http://www.zmailer.org/smtprelay.html
> The mail admin tells me the good news today that TPTB have
> now finally agreed to firewall off all SMTP to Oxford apart from the
> Oxmails and separately vetted named hosts. Given the number of hosts
> involved with hundreds of mostly autonomous departments and colleges,
> she's going to be spending even more time keeping all those
> registrations up to date and coping with the moans of plenty of other
> people who see firewalling off SMTP and not allowing them to run SMTP
> servers as fascist. Good luck to her.
In my former academic life we told departments (and students)
that they are welcome to relay thru our server, but only if
their machines are relay-proof. They can, after all, send
also directly to the world (and thus ORBS/RBL punishment
hits only their machine).
Students and staff didn't appear unhappy about the rule,
although the rate of abuse was quite low back then...
Possibly one of the reasons that our students were happy was
that we had centralized DNS maintance so that everybody who
got their PC/MAC network card MAC address registered to the
campus LAN, got IP address, and then got also DNS registration
with complete set of backup MX entries.
It is/was also a site which had *all* named DNS objects
equipped with MX data and WKS data! The latter is rarely
used anywhere. We ran the main hub so that if the system
didn't have SMTP in its WKS data, mail delivery attempt
was aborted, and message got bounced. Helped a lot to
avoid queueing things to routers, printers, and stupid
DOS/windows PCs..
> --Malcolm
> --
> Malcolm Beattie <mbeattie@sable.ox.ac.uk>
> Unix Systems Programmer
> Oxford University Computing Services
/Matti Aarnio <matti.aarnio@sonera.fi>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:20 EST