-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Blair wrote:
> On Thu, Feb 19, 2009 at 3:00 PM, Rich <rhd...@gmail.com> wrote: >> I used the term "open relay" because I don't want to limit the by setting >> "mynetworks" to a couple of networks. I was thinking by using sasl and tls >> I could set mynetworks to 0/0. > 0/0 is the entire internet. > > Take the approach of least privileges. The idea that laptop users VPN > in if they want to be given a free ride (no auth) etc works, since you > can place your VPN subnet into mynetworks. Oh, dear! No, you don't want mynetworks to be 0/0. You'll make far to many new friends that way. Leave mynetworks as it is, except to add the VPN(s) to the list. Taking the approach of defense in depth, layer SASL on top of that (TLS would be pretty much redundant over a VPN). If you don't want to mess with a VPN, implementing SASL and permitting SASL authentication in main.cf, just before permitting mynetworks and rejecting unauth, would do the job, and there's still no reason to become an open relay. The encryption of TLS would be a good idea in this case, I suspect. But a VPN can be used for a lot more than just email. openVPN is trivial to install, it works good, and it's lasted me a long time already... - -- Glenn English g...@slsware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmdxqoACgkQ04yQfZbbTLb60wCff52QgXfM0BT4P5lQKl2U0q0A HwMAnisie9PepfR+r0dr7/lsAE3sImcf =a9Gt -----END PGP SIGNATURE-----
