Logs and how to read them

Rodolfo J. Paiz rpaiz at simpaticus.com
Thu Apr 22 16:01:35 UTC 2004


At 16:20 4/21/2004, you wrote:
>But, instead of trying to harden your sendmail you should spend the time
>to switch to another MTA. I decided for postfix, but e.g. exim may be a
>good choice, too (it has excellent documentation).

Quit telling the guy to switch MTA's, for God's sake. Fix his problem... 
*then* when we've got him out of the fire, you can tell him that you think 
$MAILSERVER would be better for him. But right now, let's fix his system!

> > One thing I did notice after reading this reply is yes, I can set up a
> > external SMTP on a Windows machine and go through my firewall and connect
> > to it, but the internal machines are all using my SMPT server, there are
> > only 8 internal machines so it was easy to check.  I dont think that is 
> how
> > the SPAM got out, I trust these users.
>
>There are a lot newer viruses around which have their own SMTP
>functionality! They don't use your email program's configuration or SMTP
>function. They have their own and it is sufficient if the firewall lets
>pass SMTP communication. You should immediately reconfigure the firewall
>to block port 25.

This is mostly correct. If all those users are supposed to use your SMTP 
server, then set up your firewall accordingly. I do not suggest blocking 25 
outbound, but rather *redirecting* tcp/25 to your mail server. That way, 
*any* attempts to connect to an SMTP server will be redirected to yours. 
And if one of your Windows users does have a worm, it'll be unable to talk 
to the outside but you will see it's attempts in your maillog.

Much better this way: you get better problem warning and control, the users 
get full functionality, the virii get stopped, and outside systems never 
get bothered.


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com





More information about the fedora-list mailing list