[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] STOP POP BEFORE SMTP

Subject: Re: [cobalt-users] STOP POP BEFORE SMTP
From: Larry Smith <lesmith@xxxxxxxxx>
Date: Sun Apr 13 11:05:00 2003
Organization: ECSIS.NET
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Sunday 13 April 2003 11:13 am, Jeff Lasman wrote:
> Thanks for this great bit of advice, Larry.  I've not done that because
> I always want the distribution master on my system.  However, I'm doing
> it now, first copying sendmail.cf.master to sendmail.cf.DIST.MASTER.

Jeff,

  Excellent idea.  I do the same myself (sendmail.cf to sendmail.cf.org for 
"original"), then each time I make any "changes" I copy the new one to 
sendmail.cf.YYMMDD (eg sendmail.cf.030412) so that I can easily "track" back 
through changes and see what has been done.  In fact I do this with scripts, 
programs, etc that I might "modify" in some way (<original-name> to 
<original-name.org> and / or <original-name.YYMMDD> for the same reason - 
being able to determine "what" I did and approximately when.

Relative to another, similar topic, I also "changed" the error message from 
"Relaying denied, please check your mail first" to just "Relaying denied" so 
as to not "give away" the fact that the box is running poprelayd.  Tracked 
over 11,000 attempts at a "cable" IP address trying multiple names, domains 
at trying to get access so they presumably could "relay" through one of my 
boxes a while back. Luckly all my boxes "report" all un-authorized access 
attempts (a pain from the volume of mail I get, but a blessing when I can 
quickly "see" who is trying what, when, how, etc.

Program is called "secnotes" (talked about here previously) and is just a 
shell script that works off of hosts.deny and mails the admin (or designated 
person/account) a notice of any/all (as desired) un-authorized connection 
attempts.

For example:
bootpd: ALL : spawn /usr/local/bin/secnotes "%a+%A+%c+%d+%h+%H+%s+%u" & : DENY

will send me a message (our admin alias account) of all attempts to access 
"bootp" on any server with the IP address of the server, the port number(s), 
the remote IP and hostname, and username attempted if applicable, etc...
Changing the bootpd to "ALL" as the last entry in hosts.deny would "notify" 
one of all events not explicitly authorized by an allow entry on a particular 
box (which we do on certain customer boxes) and even have some boxes where 
the entry is changed to "all" and "allow" to report _ALL_ 
connections/attempts to the box in question..... (almost a honeypot)...

Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx

References:
- RE: [cobalt-users] STOP POP BEFORE SMTP
  - From: Dan Kriwitsky
- Re: [cobalt-users] STOP POP BEFORE SMTP
  - From: Larry Smith
- Re: [cobalt-users] STOP POP BEFORE SMTP
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-users] RaQ550 to RaQ550 migration
Next by Date: Re: [cobalt-users] bind bug on reverse dns
Previous by thread: Re: [cobalt-users] STOP POP BEFORE SMTP
Next by thread: [cobalt-users] NameVirtualHost 112.53.36.211:80 has no VirtualHosts

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index