LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alan Kennington <akenning@topology.org>
To : Michael Kratz <michael_kratz@hotmail.com>
Date: Sun, 6 May 2001 14:08:51 +0930
Re: IDENTD is it really needed for sendmail?
On Sun, May 06, 2001 at 01:45:12PM +0930, Michael Kratz wrote:
>
> on a system that is running sendmail a its primary MTA does one really have
> to run IDENTD? Normally I do, but I have setup a 2 server setup a couple of
> weeks ago and realised that I didnt allow for IDENTD transactions through
> the firewall... the machine that sends mail is behind the firewall and it
> can still send mail, albeit I think it takes a bit longer... are there any
> fors and againsts to using or not using IDENTD??
Michael,
There's often been discussion of this over the years.
The arguments against permitting auth/ident access
are that it permits, like finger, the discovery of
user names on a remote machine, and tha means that remote
users could use the names to help in login attempts
with guessed passwords, or it could help in assembling
spam lists.
I haven't permitted ident for a few years.
But with my old default-accept firewall scripts,
the absence of ident in my /etc/inetd.conf file
(or whatever) meant that the kernel generated a
TCP reset-packet in reponse to any SYN to that port.
That speeds up sendmail's sending to your machine.
I my current default-drop scripts, I found that
remote MTAs were generating several lines in my log file
every time I was receiving e-mail. That slows down e-mail
and wastes space in the log files. (And my time/effort while
I check to see if it's a hack attempt.)
So now I put a non-logging reject rule in my firewall script
for the ident port.
I think that this generates an ICMP packet response to the sender
rather than a TCP reset-packet.
But for most set-ups, this should have the same effect.
In purely protocol-theoretic terms, I think the "best"
solution is to not use ident at all, and let the kernel
generate the TCP reset-packet. But that's more bother,
and the result is about the same.
So I'd just firewall it out with a non-logging reject target.
Then you can still use ident locally on your LAN.
Cheers,
Alan Kennington.
--------------------------------------------------------------------
name: Dr. Alan Kennington
e-mail: akenning@topology.org
website: http://www.topology.org/
city: Adelaide, South Australia
coords: 34.88051 S, 138.59334 E
timezone: UTC+0930 http://www.topology.org/timezone.html
pgp-key: http://www.topology.org/key_ak2.asc
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page