[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Off-topic, Mail Server / ORBS Discovery
- Subject: Re: [cobalt-users] Off-topic, Mail Server / ORBS Discovery
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Thu May 25 18:40:46 2000
- Organization: nobaloney.net
Steven Werby wrote:
> For those of you not familiar with ORBS, ORBS looks for insecure email servers
> across the internet. It does its own searches and people submit servers to be
> tested and then it puts them through a battery of tests to see if they are
> secure. If it's found to be insecure the owner is given 30 days to correct the
> problem before the server is added to the public ORBS list. Many companies and
> websites block email from servers in the ORBS list b/c insecure mail servers are
> used by spammers to send milions of spam emails per day. To find out more check
> out the site. To verify that my BA mail server is blackholed go to
> http://www.orbs.org/verify_1.html and enter 199.45.39.157 as the IP address to
> lookup.
I'm trying to... the site is a bit busy right now.
However, to be fair, let's point out a few things. First... the RaQ2s
and 3s, by default, aren't open releays, so most of us don't have to
worry.
Second, I've got an open relay right now; I'm inheriting it with that
ISP I'm buying. Fixing it isn't quite as quick and easy as you'd think
<frown>.
It's running BSDi2.1 with sendmail 8.8.3, and there's not really a good
way to secure it.
Sure I can rebuild sendmail from source, but this is a running machine
serving an awful lot of users.
So you say just switch the users to another box?
Fine. Good. Great idea.
Problem is that whoever set up the servers set up both smtp services and
pop services as "mail.xxxxx.com" (name changed not to protect the guilty
so much as to avoid it being out in the open that the server will
relays; spammers do read lists such as this).
So we can't move one without the other.
And moving mailboxes for a whole ISP worth of servers takes a lot of
time.
So we're working on it. We're getting everyone to switch to
"smtp.xxxxx.com" for outgoing mail and "pop.xxxxx.com" for incoming
mail. We've alias the smtp.xxxxx.com to our RaQ2; it's already been
tested, and it relays for inside this domain but still passes all the
anti-relay tests.
First we'll get the people moved. That takes days <frown>. Then we'll
create a backup mail server somewhere to hold mail while the main box is
down. Then we'll turn off sendmail on that old box and make a temporary
fix (relay mail only to or from internal network). Then turn it back
on. Hopefully will only take a few minutes and will work.
During those few minutes mail will back up on the backup mail server.
Why can't we just make the temporary fix, you ask...
Simple, because the dialup users are NOT on our internal network,
they're on Megapop's.
In case you've got a better answer, please tell me. Call me to tell me
if you can save me time.
I've presented this problem on both the BSDi list and Chuck Mead's Mail
Help list. Good minds have tried to short cut it for me. If you can,
great <smile>.
It's not always as easy as we'd like.
And it's taking time. Won't take 14 days to fix, because the server's
scheduled to come down in 12 days when my purchase of the ISP becomes
final, so it must be fixed by then.
And oh, since we're working with the blackholers, they've agreed not to
blackhole us. I hope they mean it.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA 92517
voice: (909) 787-8589 * fax: (909) 782-0205