From owner-freebsd-isp Fri Dec 5 07:45:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA07091 for isp-outgoing; Fri, 5 Dec 1997 07:45:09 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA07080 for ; Fri, 5 Dec 1997 07:45:05 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id IAA26054; Fri, 5 Dec 1997 08:44:53 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id IAA01108; Fri, 5 Dec 1997 08:44:51 -0700 Date: Fri, 5 Dec 1997 08:44:51 -0700 Message-Id: <199712051544.IAA01108@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bradley Dunn Cc: Gaetan Feige , freebsd-isp@FreeBSD.ORG Subject: Re: User security In-Reply-To: References: <3.0.32.19971205083748.00ae0640@vsg.mobistar.be> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Seriously, black box mail servers that only allow access via IMAP or POP > are the way to go if you can. You can use SSH for remote administration, > and with SSH's "AllowUsers" configuration option you can specify exactly > who can connect via SSH. There's one possible problem with SSH in that it allows remote users to 'forward' ports from the black-box machine to other machines unless you explicitly compile out the code. This is rather nasty if you allow people inside your firewall to the black-box machine, since they can forward out to other internal (unprotected) machines in your domain and wreak havoc. (No, this didn't happen, but it could have. :) Nate