> From: Lucas Albers [mailto:[EMAIL PROTECTED] > David F. Skoll said: > > 3) Even if you don't have MX or A records pointing to internal mail > > servers, you should firewall off port 25 on internal mail > servers from > > the outside world. We've seen instances of the MyDoom > virus bypassing > > the MIMEDefang machine by port-scanning for something listening on > > port 25. > > > > The basic guiding principle: Do not permit any path for Internet > > e-mail to bypass your MIMEDefang machine. > I would like to firewall off access to an internal mail server, but my > clients from off campus use it to send mail... > This would work: > Allow authenticated and local users to send mail through it > but refuse all > other mail through it. Configure it so external mailers will > re-attempt > delivery through external mx mailers... > If I generate a 451 code to external MTA's > They should try the secondary mx, correct?
We use this same setup. One SMTP server (A) that accepts only authenticated sessions and allows relay for those. Another SMTP server (B) that accepts any session but does not allow relay. The trick is to only have A listed as an MX record. B does *not* need to be listed as an MX record. Usually B is listed explicity (by DNS name) in the off-campus-client's email client as the "Sending Mail Server" or "SMTP Server" - no need to advertise it in DNS, though a portscanner will still find it. _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
