Re: An argument AGAINST hosting your own email domain.

From: Joe (joe_at_jretrading.com)
Date: 12/06/04 

Date: Mon, 6 Dec 2004 17:46:49 +0000

In message <uQIZwL42EHA.3408@tk2msftngp13.phx.gbl>, "SuperGumby [SBS
MVP]" <not@your.nellie> writes
>but you're allowed to argue the 'for'.

Hell, no. At home, I run an industrial-strength mail server with
good-quality firewalling, but I wouldn't dream of opening port 25.
Life's too short as it is.
>
>My thoughts on this go back a few months when I was asking a client's web
>and zone host to give us an MX record. The support guy I was talking to
>thought I was crazy. 'Mick, we'll host unlimited (users and size) mailboxes
>for them, optionally SPAM check them, AV them, and give them a web interface
>which includes out of office and forwarding capabilities, AT NO (additional)
>COST'.
>
>It's been chewing away at me since. Just why the hey should I open my system
>to 'auth attacks', NDR attacks, attacks which have yet to be invented, or
>even attacks which don't exist, when these guys will throw it in with a
>basic hosting facility?
>
>In the past we didn't like the 'POP Connector', there was a problem where it
>lost mail for the 16th user (7th and 15th users maybe? some number user). We
>still don't like the POP Connector because it doesn't handle mail in a
>global mailbox with multiple 'TO:' fields and also doesn't handle 'BCC:'
>well. BIG DEAL, get rid of your global mailboxes and set up individual
>mailboxes at your hosting company. The hosting company will properly 'fan
>out' the multiple 'TO:' and 'BCC:' mail and as the SBS2003 dev team fixed
>the '7th or 15th user problem' the POP Connector's ability to collect mail
>from an individual mailbox and assign it to an Exchange mailbox works, we
>seem to have an ideal situation.

Even with a multi-drop POP3 mailbox, better performance is possible by
careful choice of ISP. Some of them do pass the envelope on in a
non-standard header, although you probably need a non-Microsoft
downloader to take advantage of this.

There's also no need to stick to POP3. IMAP is a better protocol, and
SSL versions of both exist. The IMAP facilities are not necessary with
Exchange, but do not have to be used. Of course, Microsoft would have to
be persuaded of the argument, and clearly the pressure towards in-house
email is coming from them.
>
>We commonly tell people 'get your WWW hosted', mainly because this means we
>reduce our attack surface by not requiring an open port 80.
>If we also tell them 'let your WWW host also host your email domain' we can
>close port 25, reducing our attack surface further.

I've argued in this direction here. I got the stock (presumably
Microsoft) answer. I've seen any number of questions about improving the
performance of the POP3 connector, almost all of which are met with the
advice not to use it, rather than answers. A compromise would be to
accept SMTP, but only from your ISP. That greatly reduces risk without
much disruption.

Something you didn't mention was reliability. Unless you get quite
serious about your Internet connection, it is unlikely to be as reliable
as your ISP's. My home telephone line was down for an eight day period a
couple of years ago, long enough for most mail servers to give up, and
for most email to become irrelevant. There's nothing stopping the same
thing happening to business phone lines, which is how most people
connect. It's possible to jury-rig some kind of access to email for a
small business, even through a mobile phone, but only if someone else is
collecting it 24/7. 

-- 
Joe

Relevant Pages

  • Re: Identification of a Mail Server
    ... Nmap can do more than tell you if a port is open it will also detect what service is running on that port if possible ... How can one identify a mail server behind a firewall, be it Exchange, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: deleting old mails
    ... I tried mail/archivemail but it cannot create it's lock file ... A few words about locking. ... The answer is simple: no mailbox is ever ... On the mail server the home diretory is NFS-mounted read-only just to ...
    (freebsd-questions)
  • Re: deleting old mails
    ... I tried mail/archivemail but it cannot create it's lock file ... A few words about locking. ... The answer is simple: no mailbox is ever ... On the mail server the home diretory is NFS-mounted read-only just to ...
    (freebsd-questions)
  • Re: An argument AGAINST hosting your own email domain.
    ... POP mailbox doesn't really matter anyway if you were downloading it into ... > system to 'auth attacks', NDR attacks, attacks which have yet to be ... Because you have a mail server, you don't need anyone else's mail server. ... POP connectors are a kluge, ...
    (microsoft.public.windows.server.sbs)
  • Strategies For Detecting / Responding to Dictionary Attacks
    ... I have been researching methods for deailing with dictionary attacks ... three node sendmail cluster and each of the boxes is being hit w/ 2-3 failed ... Mailbox 'joeyj' does not exist. ... flood, throttling. ...
    (comp.mail.sendmail)