[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: Two different IP for one mx
From: "jin&hitman&Barracuda" <jinhitman () gmail ! com>
Date: 2018-01-31 14:25:38
Message-ID: CALdev8fYOnUK4HAt_fLyB=p1nbU+LOfBnCRPDWTc00qzn5Y1aQ () mail ! gmail ! com
[Download RAW message or body]
Ok, I already started a discussion with ISP and they obviously have no idea
what they doing. However, they did not provide any effort to fix this
setup. I'm still waiting. May be it is the time to find a proper ISP and
replace with it.
2018-01-31 17:00 GMT+03:00 Bill Cole <
postfixlists-070913@billmail.scconsult.com>:
> On 30 Jan 2018, at 6:07 (-0500), jin&hitman&Barracuda wrote:
>
> Yes I saw connections coming
>> from 172.27.203.20 and it was me.
>> I believe this setup is not fit mail servers.
>>
>
> Absolutely true. 3 widespread ISP tactics that make a network unfit for an
> Internet-facing MTA:
>
> 1. DNS hijacking
> 2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP
> 3. Source NAT for inbound traffic
>
> All 3 are often presented as part of "network security" packages but they
> are each lethal for a mail server.
>
> Becouse I prefer to use
>> fail2ban for brute force attacks and fail2ban depends source IP address.
>> In this setup I can't see source IP. Also I'll use iptables as a permanent
>> filter for some IPv4 blocks (like china).
>>
>>
>> Can anyone tell me that this setup has any benefit ?
>>
>
> No.
>
> Inbound source NAT is the most widespread network tactic that I know of
> which has no discernible benefit to the downstream user directly or
> indirectly. As far as I can tell, it is entirely a side effect of network
> gear manufacturers and network operators being lazy in implementation.
>
> --
> Bill Cole
> bill@scconsult.com or billcole@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
>
--
*There is no place like "/home"*
*From HemiB A R R A C U D A !*
[Attachment #3 (text/html)]
<div dir="ltr">Ok, I already started a discussion with ISP and they obviously have no \
idea what they doing. However, they did not provide any effort to fix this setup. \
I'm still waiting. May be it is the time to find a proper ISP and replace with \
it. </div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-31 17:00 \
GMT+03:00 Bill Cole <span dir="ltr"><<a \
href="mailto:postfixlists-070913@billmail.scconsult.com" \
target="_blank">postfixlists-070913@billmail.scconsult.com</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On 30 Jan 2018, at 6:07 (-0500), \
jin&hitman&Barracuda wrote:<br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Yes I saw connections coming<br>
from 172.27.203.20 and it was me.<br>
I believe this setup is not fit mail servers.<br>
</blockquote>
<br></span>
Absolutely true. 3 widespread ISP tactics that make a network unfit for an \
Internet-facing MTA:<br> <br>
1. DNS hijacking<br>
2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP<br>
3. Source NAT for inbound traffic<br>
<br>
All 3 are often presented as part of "network security" packages but they \
are each lethal for a mail server.<span class=""><br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Becouse I prefer to use<br>
fail2ban for brute force attacks and fail2ban depends source IP address.<br>
In this setup I can't see source IP. Also I'll use iptables as a \
permanent<br> filter for some IPv4 blocks (like china).<br>
<br>
<br>
Can anyone tell me that this setup has any benefit ?<br>
</blockquote>
<br></span>
No.<br>
<br>
Inbound source NAT is the most widespread network tactic that I know of which has no \
discernible benefit to the downstream user directly or indirectly. As far as I can \
tell, it is entirely a side effect of network gear manufacturers and network \
operators being lazy in implementation.<span class="HOEnZb"><font \
color="#888888"><br> <br>
-- <br>
Bill Cole<br>
<a href="mailto:bill@scconsult.com" target="_blank">bill@scconsult.com</a> or <a \
href="mailto:billcole@apache.org" target="_blank">billcole@apache.org</a><br> (AKA \
@grumpybozo and many *@<a href="http://billmail.scconsult.com" rel="noreferrer" \
target="_blank">billmail.scconsult.com</a> addresses)<br> Currently Seeking Steady \
Work: <a href="https://linkedin.com/in/billcole" rel="noreferrer" \
target="_blank">https://linkedin.com/in/billco<wbr>le</a><br> \
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><i><span \
style="color:rgb(102,0,0)">There is no place like \
"/home"</span></i><br><i>From HemiB A R R A C U D A !</i></div> </div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic