glen.turner at aarnet.edu.au
Tue Dec 3 18:35:32 CST 2002
David Lloyd wrote:
> Personally I would strongly suggest a web-based mailing system using
Or simply require authentication before relaying.
This allows people to use their favored e-mail
client with exactly the same configuration at
work and at home (useful for notebook computers).
Set it up using TLS so you don't leak passwords.
If you also configure your IMAP server to do
IMAP over SSL then the "reading e-mail over the
WLAN at the conference" security scenario works
Outlook supports SMTP authentication, SMTP with
TLS and IMAP with SSL.
Sendmail supports SMTP authentication and SMTP
with TLS. It can authenticate the userid in
a number of ways -- we use the corporate LDAP
directory as it is the prime source of all of
our computer user account information.
Sendmail can additionally rewrite the From header
based upon the authenticating userid. It suggest
you do this -- it prevents people from sending
mail with spoofed "From" addresses.
Whilst we're on e-mail system tricks:
- run SMTP on two ports. A lot of ISPs block
port 25 except to their own mail servers as
an anti-spam measure.
- run SpamAssassin and drop suspect spam into
the user's Spam folder.
- use MIMEDefang to strip "bad" attachments
(like .exe) and to run a virus scanner.
- name mailing lists in a consistent fashion.
For example, *@lists.example.edu.au. Then
you can easily set up utilities not to spam
check or virus check outgoing mailing list
mail. Better to check the incoming mailing
list mail once and not to check the same mail
when it is outgoing hundreds of times.
- don't add corporate disclaimers. These break
S/MIME message authentication and encryption.
If you *need* disclaimers then add them to each
users .signature file -- then it is part of
the message. It also allows users to remove
the disclaimer where appropiate -- for example,
out lawyers insist that we discard e-mailed tender
responses from companies that disclaim that the
e-mail "doesn't represent the views of the company".
- if you have LDAP, add automatic S/MIME encryption
for messages within your organisation. Someone
who hacks the mail server won't get as much joy
as they otherwise would.
- run a HTTPS/IMAPS web gateway. You don't want
people doing business through HotMail accounts.
- tell people how to alter their identity on the
e-mail system when posting to public places.
For example, using an identity "fred.bloggs+linuxsa@
example.edu.au" to join and post to this
mailing list makes it easy to discard spam
generated by robots that scan the mail archives.
- configure the local delivery agent (such as procmail)
when seeing a message to "user+Folder at example.edu.au"
to put the message in the IMAP folder named "Folder"
if the folder exists. This makes it easy for people
to manage mailing lists.
Glen Turner (08) 8303 3936 or +61 8 8303 3936
Australian Academic and Research Network www.aarnet.edu.au
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.openprojects.net
To unsubscribe from the LinuxSA list:
mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject
More information about the linuxsa