ORBS (Re: Scanning)

Roeland Meyer rmeyer at mhsc.com
Sun May 27 17:24:57 UTC 2001

So, you aren't happy when I build a poisoned cake for spammers, you want me
to use your specific recipe... even if mine works (better?). Tell me how a
MAPS-blocked system can relay spam.

Yes, I'll concede that your approach may work, albeit at higher HW cost than
my approach.

BTW, the MHSC answer to our ORBS listing last year is to drop sendmail and
build an MS-Exchange server so that we can authenticate with Win2K Domain
logins. But, that's very expensive and doesn't scale well. We also support
both PPTP and SSH VPN tunnels. There are obvious problems with both, as I've
discovered in practice.

1. Seat license costs with Exchange (scaling issues). 
2. Unless very carefully run, Exchange has serious security issues.
3. Exchange is good groupware for corps and way too much for normal users.
4. Many firewalls block any and all tunneling technology.
5. POP-based solutions demand widespread deployment of POPs. If a user is
out of POP range, they have to make LD calls. Plus there is an incremental
HW cost per POP. If one has a largish number of POPs this is significant
addition to the out-of-range LD charges that one still incurrs.

> From: E.B. Dreger [mailto:eddy at noc.everquick.net]
> Sent: Sunday, May 27, 2001 9:54 AM
> > Date: Sun, 27 May 2001 09:11:39 -0700
> > From: Roeland Meyer <rmeyer at mhsc.com>
> [ snip ]
> >> I don't buy the "we need open relay for nationwide users" argument,
> >> either.  Build a cheap MX that does nothing but take mail 
> from a given
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> POP, and send it to the world.  Anti-spoofing at the border, 
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> don't accept mail from the outside world, and you're done.
> > You must not have a roaming staff or are willing to keep 
> telcos wealthy.
> Or I might know a better way.
> Again, put a simple MX at each POP.  Want a constant IP 
> address for the
> SMTP server?  Each POP's border router redirects the SMTP server's IP
> address to the local machine, which only allows inbound SMTP from the
> local POPs.
> Nothing new here.
> And then there are VPNs for roaming staff...

More information about the NANOG mailing list