relaying

Glen Turner glen.turner at aarnet.edu.au
Tue Dec 3 18:35:32 CST 2002


David Lloyd wrote:

> Personally I would strongly suggest a web-based mailing system using
> https...


Or simply require authentication before relaying.

This allows people to use their favored e-mail
client with exactly the same configuration at
work and at home (useful for notebook computers).

Set it up using TLS so you don't leak passwords.

If you also configure your IMAP server to do
IMAP over SSL then the "reading e-mail over the
WLAN at the conference" security scenario works
fine.

Outlook supports SMTP authentication, SMTP with
TLS and IMAP with SSL.

Sendmail supports SMTP authentication and SMTP
with TLS.  It can authenticate the userid in
a number of ways -- we use the corporate LDAP
directory as it is the prime source of all of
our computer user account information.

Sendmail can additionally rewrite the From header
based upon the authenticating userid.  It suggest
you do this -- it prevents people from sending
mail with spoofed "From" addresses.

Whilst we're on e-mail system tricks:

  - run SMTP on two ports.  A lot of ISPs block
    port 25 except to their own mail servers as
    an anti-spam measure.

  - run SpamAssassin and drop suspect spam into
    the user's Spam folder.

  - use MIMEDefang to strip "bad" attachments
    (like .exe) and to run a virus scanner.

  - name mailing lists in a consistent fashion.
    For example, *@lists.example.edu.au.  Then
    you can easily set up utilities not to spam
    check or virus check outgoing mailing list
    mail.  Better to check the incoming mailing
    list mail once and not to check the same mail
    when it is outgoing hundreds of times.

  - don't add corporate disclaimers.  These break
    S/MIME message authentication and encryption.
    If you *need* disclaimers then add them to each
    users .signature file -- then it is part of
    the message.  It also allows users to remove
    the disclaimer where appropiate -- for example,
    out lawyers insist that we discard e-mailed tender
    responses from companies that disclaim that the
    e-mail "doesn't represent the views of the company".

  - if you have LDAP, add automatic S/MIME encryption
    for messages within your organisation.  Someone
    who hacks the mail server won't get as much joy
    as they otherwise would.

  - run a HTTPS/IMAPS web gateway.  You don't want
    people doing business through HotMail accounts.

  - tell people how to alter their identity on the
    e-mail system when posting to public places.
    For example, using an identity "fred.bloggs+linuxsa@
    example.edu.au" to join and post to this
    mailing list makes it easy to discard spam
    generated by robots that scan the mail archives.

  - configure the local delivery agent (such as procmail)
    when seeing a message to "user+Folder at example.edu.au"
    to put the message in the IMAP folder named "Folder"
    if the folder exists.  This makes it easy for people
    to manage mailing lists.

-- 
  Glen Turner                (08) 8303 3936 or +61 8 8303 3936
  Australian Academic and Research Network   www.aarnet.edu.au

-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.openprojects.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject



More information about the linuxsa mailing list