Re: questions on ident, postfix & proftp
Kevin van Haaren wrote: > Postfix question > > I have a laptop user that travels around and I'd like to let them > send mail through postfix using authenticated smtp from anywhere on > the internet (I like this better than the pop authentication == smtp > authentication, as it seems more secure). Reading through the sample > configs it looks like postfix provides this through sasl but it isn't > recommended using it yet. Is there another way to securely provide > authenticated smtp? We use exim (using SMTP auth) and stunnel to provide encrypted, authenticated access from any laptop, anywhere. It was a complete pain to set up initially, but well worth it. And if I had the config files handy (I don't - they're at work and I'm not) I'm sure it would be easier second time round. Cheers, NIck
Re: questions on ident, postfix & proftp
Kevin van Haaren wrote: > Postfix question > > I have a laptop user that travels around and I'd like to let them > send mail through postfix using authenticated smtp from anywhere on > the internet (I like this better than the pop authentication == smtp > authentication, as it seems more secure). Reading through the sample > configs it looks like postfix provides this through sasl but it isn't > recommended using it yet. Is there another way to securely provide > authenticated smtp? We use exim (using SMTP auth) and stunnel to provide encrypted, authenticated access from any laptop, anywhere. It was a complete pain to set up initially, but well worth it. And if I had the config files handy (I don't - they're at work and I'm not) I'm sure it would be easier second time round. Cheers, NIck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: questions on ident, postfix & proftp
On Sun, Dec 17, 2000 at 10:36:03AM -0600, Kevin van Haaren wrote: >Is there another way to securely provide > authenticated smtp? you can use TLS insteed. but you must read the documentation for bring it to work bastian -- No more blah, blah, blah! -- Kirk, "Miri", stardate 2713.6 pgp3sjr89AQqD.pgp Description: PGP signature
Re: questions on ident, postfix & proftp
On Sun, Dec 17, 2000 at 10:36:03AM -0600, Kevin van Haaren wrote: >Is there another way to securely provide > authenticated smtp? you can use TLS insteed. but you must read the documentation for bring it to work bastian -- No more blah, blah, blah! -- Kirk, "Miri", stardate 2713.6 PGP signature
Re: questions on ident, postfix & proftp
> I've got a server setup to provide e-mail, web, ftp services on the > internet. I also run a masquerading/firewall box to protect an > internal network (these are separate boxes). Both run Debian Woody > (one is intel box, the other is a powerpc box.) Why are you running an unstable distribution on a firewall? I would recommend against it. > Is there a recommended way > of setting ident up on a firewall? I've seen servers that provide > proxying ident requests for internal machines, or responding with > random responses, is one preferred over the other? Personally, I run a masq-aware identd on my masq box and nullidentd on my internal machines.
Re: questions on ident, postfix & proftp
On 00-12-17 Kevin van Haaren wrote: > Ident questions > > Going through the Securing Debian HOW-TO I don't see a specific > mention either for or against running the ident service (either > through inetd or standalone.) Is there a consensus about if this > service is particularly useful or not? It is useful to identify your users in case of abuse. > Digging around on the internet it mainly seems to be useful for IRC > clients although some mention is made that it can be useful for > preventing users of your system from forging e-mail from your system. It will also be useful if any kind of abuse happens and your logfiles say nothing. If the admin can provide you with the ident-entry from your ident-server, you will still be able to identify the user, but if you have no ident running you will never find out which user abused your server. > As far as security on the system itself it appears mainly to be a > point of DoS attacks, is this a valid evaluation? IRC clients won't Well, depends on your identd configuration. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgpc9gZKF4yDW.pgp Description: PGP signature
Re: questions on ident, postfix & proftp
> I've got a server setup to provide e-mail, web, ftp services on the > internet. I also run a masquerading/firewall box to protect an > internal network (these are separate boxes). Both run Debian Woody > (one is intel box, the other is a powerpc box.) Why are you running an unstable distribution on a firewall? I would recommend against it. > Is there a recommended way > of setting ident up on a firewall? I've seen servers that provide > proxying ident requests for internal machines, or responding with > random responses, is one preferred over the other? Personally, I run a masq-aware identd on my masq box and nullidentd on my internal machines. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: questions on ident, postfix & proftp
On 00-12-17 Kevin van Haaren wrote: > Ident questions > > Going through the Securing Debian HOW-TO I don't see a specific > mention either for or against running the ident service (either > through inetd or standalone.) Is there a consensus about if this > service is particularly useful or not? It is useful to identify your users in case of abuse. > Digging around on the internet it mainly seems to be useful for IRC > clients although some mention is made that it can be useful for > preventing users of your system from forging e-mail from your system. It will also be useful if any kind of abuse happens and your logfiles say nothing. If the admin can provide you with the ident-entry from your ident-server, you will still be able to identify the user, but if you have no ident running you will never find out which user abused your server. > As far as security on the system itself it appears mainly to be a > point of DoS attacks, is this a valid evaluation? IRC clients won't Well, depends on your identd configuration. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 PGP signature
questions on ident, postfix & proftp
I've got a server setup to provide e-mail, web, ftp services on the internet. I also run a masquerading/firewall box to protect an internal network (these are separate boxes). Both run Debian Woody (one is intel box, the other is a powerpc box.) Ident questions Going through the Securing Debian HOW-TO I don't see a specific mention either for or against running the ident service (either through inetd or standalone.) Is there a consensus about if this service is particularly useful or not? Digging around on the internet it mainly seems to be useful for IRC clients although some mention is made that it can be useful for preventing users of your system from forging e-mail from your system. As far as security on the system itself it appears mainly to be a point of DoS attacks, is this a valid evaluation? IRC clients won't be used from the server box, but machines on the internal network going through the firewall probably will. Is there a recommended way of setting ident up on a firewall? I've seen servers that provide proxying ident requests for internal machines, or responding with random responses, is one preferred over the other? ProFTP question The ProFTP debian package config file (/etc/proftpd.conf) has the user/group options listed twice. Once as root/root and the other as nobody/nogroup. Not sure if this is a security problem but it is confusing. I removed the root/root settings. Service runs fine without. Apologies if this is the wrong place to bring this up. Postfix question I have a laptop user that travels around and I'd like to let them send mail through postfix using authenticated smtp from anywhere on the internet (I like this better than the pop authentication == smtp authentication, as it seems more secure). Reading through the sample configs it looks like postfix provides this through sasl but it isn't recommended using it yet. Is there another way to securely provide authenticated smtp? Thanks, Kevin van Haaren
questions on ident, postfix & proftp
I've got a server setup to provide e-mail, web, ftp services on the internet. I also run a masquerading/firewall box to protect an internal network (these are separate boxes). Both run Debian Woody (one is intel box, the other is a powerpc box.) Ident questions Going through the Securing Debian HOW-TO I don't see a specific mention either for or against running the ident service (either through inetd or standalone.) Is there a consensus about if this service is particularly useful or not? Digging around on the internet it mainly seems to be useful for IRC clients although some mention is made that it can be useful for preventing users of your system from forging e-mail from your system. As far as security on the system itself it appears mainly to be a point of DoS attacks, is this a valid evaluation? IRC clients won't be used from the server box, but machines on the internal network going through the firewall probably will. Is there a recommended way of setting ident up on a firewall? I've seen servers that provide proxying ident requests for internal machines, or responding with random responses, is one preferred over the other? ProFTP question The ProFTP debian package config file (/etc/proftpd.conf) has the user/group options listed twice. Once as root/root and the other as nobody/nogroup. Not sure if this is a security problem but it is confusing. I removed the root/root settings. Service runs fine without. Apologies if this is the wrong place to bring this up. Postfix question I have a laptop user that travels around and I'd like to let them send mail through postfix using authenticated smtp from anywhere on the internet (I like this better than the pop authentication == smtp authentication, as it seems more secure). Reading through the sample configs it looks like postfix provides this through sasl but it isn't recommended using it yet. Is there another way to securely provide authenticated smtp? Thanks, Kevin van Haaren -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
