Fedora Core 2 wishlists

Wil Cooley wcooley at nakedape.cc
Thu Dec 11 04:14:27 UTC 2003 

On Wed, 2003-12-10 at 07:01, Chris Adams wrote:
> > Out of curiosity, why not?
> 
> Milter is probably the biggest reason at the moment.  I filter 1000
> spams a minute with a multi-server setup using milter (sendmail is
> running on several servers and the milter server is on another server).

Postfix has a 'content_filter' mechanism which acts as an SMTP proxy;
the receiving server can be anywhere, if your filtering server supports
it.  With amavisd-new, you have to use Sendmail in a dual-server setup
and not Milter if you want to be able modify the message (like adding
*SPAM* to the header); the Postfix content_filter mechanism is much
cleaner and seems less hackish on a single-host setup.  The
content_filter can also be configured per-transport.

> Also, I have some heavily tuned custom configs.  Can postfix allow
> multiple DNSBLs to be merged into one (with different response code) to
> cut down on DNS requests, and allow some to reject before RCPT TO and
> some after?

Like, you've imported the zones from the RBLs and serve them locally? 
Sure, don't see why not.

> I also know of people that still use UUCP.

I've heard of such people.  Apparently there are also people using
dial-in BBSes and running DOS applications.

> > Postfix is a viable alternative to sendmail with a much better security
> > history and architecture. These other projects don't have secure usable
> > replacements.
> 
> There's plenty of other web servers and there are a couple of other SSH
> servers IIRC.

'lsh' is the only replacement SSH server I know of, but from what I've
heard it's not really usable yet.  (Aside, perhaps, from proprietary
versions, like F-Secure's or Cisco's.)

> There've only been a few problems with sendmail in recent years, and
> those have been found by people examining the code closer than ever.  I
> think that sendmail is one of the more scrutinized pieces of code
> around.

Architecture.  You can audit code until your eyes bleed, but without a
proper architecture with security in mind, you're just waiting until
someone finds a clever way of exploiting something that hadn't been
thought of or of exploiting some part of the underlying framework the
application is built on.  Proper design is a hedge against that and
limits the scope of damage even when a vulnerability if found.

Wil
-- 
Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
*   Naked Ape Consulting                 http://nakedape.cc  *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20031210/44646779/attachment.sig>

More information about the fedora-devel-list mailing list