[TriLUG] Reminder: TriLUG upcoming events; meeting tomorrow, installfest Saturday

Jason Tower jason at cerient.net
Fri Jul 11 12:37:15 EDT 2003 

actually, my presentation demonstrated several things that should never be 
done with a production server (as i pointed out i was aiming for speed and 
simplicity, not security).  the class on the 26th will focus more on doing 
things the "right" way.  to wit:

1. never permit user logons unless absolutely necessary.  you can prevent this 
by using the -s option with useradd, or by manually changing the shell in the 
/etc/passwd file.  if users are only using their account for mail, change the 
shell to /bin/false!

2. don't permit the use of weak passwords!  bob/bob would appear to be a 
particularly bad combo :-)

3. use only imaps for remote mail access instead of normal imap.  you don't 
want to be transmitting passwords in cleartext where they can be easily 
sniffed, even on an internal network.

4. if you are using squirrelmail, make sure you connect to apache with https, 
not http.  again, you want to avoid sending passwords in cleartext.  if 
squirrelmail is running on the same box as the mailserver (as i demonstrated) 
then imap is relatively safe since it's only used "inside" the server itself, 
not across a network.  in this case you should configure imap to accept 
connections from the loopback interface (127.0.0.1) only.

incidently, the demo server that i used during the presentation ended up 
processing approximately 50MB of mail (800 fairly large messages, most were > 
50k) before i shut it down.  i figure it was only accepting mail for about an 
hour or so.  by far the most cpu cycles were consumed by spamassassin, this 
could have been reduced significantly by using spamc/spamd (the daemonized 
version of SA) instead of the traditional /usr/bin/spamassassin.

thanks to jeremy portzer for volunteering his laptop, to chris knowles for 
lending me his laptop when we found that jeremy's couldn't do simultaneous 
displays, and to roy for helping set everything up.  despite the slightly 
"challenging conditions" i really enjoyed presenting the material and hope to 
see at least a few of you at the mail server class on the 26th!

jason

On Friday 11 July 2003 08:14, Chris Knowles wrote:
> Here here.
>
> Jason's always a (as my mother would say) "mensch".  Stepping up to the
> plate and volunteering/donating time and expertise.
>
> His talk served to illustrate several things:
>
> 1) a relatively low pipe and box can still handle a heck of a throughput
> of e-mail.  (If you extrapolate the rate at which e-mail was arriving,
> it's ~230,000/week, which is 7x what my company of 150 gets.)
>
> 2) Always make your passwords large and relatively hard to guess, unless
> you *want* someone to break in.
>
> 3) Even in a group of generally good people someone will take a joke too
> far.
>
> 4) None of it was my fault.  I didn't have my laptop.  Geez. :)
>
> All in all a good talk, and handled beautifully well by Jason.
>
> CJK
>
> On Thu, 2003-07-10 at 22:45, Brian Daniels wrote:
> > On Wed, Jul 09, 2003 at 06:16:14PM -0400, Jeremy Portzer wrote:
> > > See http://trilug.org/ for details and directions.
> > >
> > > * Thursday, July 10, 2003       7pm
> > >         "Running a Linux E-mail Server" - by Jason Tower
> > >         Dreyfus Auditorium, RTI
> >
> > Just wanted to give a big thank you to Jason for a great talk under
> > challenging conditions!  Well done!
> >
> > --Brian

More information about the TriLUG mailing list