Hi Thierry,
| How can a normal firewall not be configured to do
exactly the same?
| Maybe most people configure their firewall to regulate incoming
| traffic only, but I have a couple not-so-small thingies here that
| *do* filter outbound traffic too.
| Also, filtering 135-139 should be standard (in more serious setups
| anyway) - even many ISPs actually do this. Thanks MS for another of
| those huge security holes...
The idea is to have firewall-rules that protect the Internet and not
the end-user.
Ok. That's what most companies do when they block outbound SMTP
except from their own mailserver - other netizens wouldn't be
hurt by one of their WinPCs getting infected by the latest Outlook
virus (only one example).
And the firewall is controlled by an outside entity
and not from
the leaf.
Ah, now that's a more interesting part, control. There's been
quite some talk about egress filtering by ISPs, not sure how
many actually implement this.
Maybe the
term reverse-firewall is not well chosen but the idea is not bad.
Well, as long as the clients get to know about the types of
filtering. For instance, I'd be very uncomfortable about web-
filtering, if it is not made very clear who gets to choose what
gets filtered and why (recent example of british ISP; many
a la CyberPatrol and whatnots have "closed" blacklists, which
have been known to block perfectly legitimate sites).
| AFAIK, the LiLux mailserver has a static IP, and it
doesn't
| exactly fit into the dial-up category. I guess technically,
| it could quite simply use mailsvr.pt.lu as smarthost also.
The problem is not when sendar is sending traffic out but when
you need to configure
special rules for incoming traffic or on the SPF records.
You may not send mail using @linux.lu from other mail servers
except you are added in
the SPF record on our DNS. At least to those site that check the SPF records.
So best is to configure sendar as your SMTP server and use auth.
Hmmm...
Care to do a presentation on SPF, what it is, how it works,
how it's implemented?
I haven't got the time as yet to look into it.
Greets Eric