[Dovecot] Firewalls are [essentially] free - WAS: Re: Source patches from Apple

nuitari-dovecot at nuitari.net nuitari-dovecot at nuitari.net
Sat Dec 13 22:02:16 EET 2008


>> 
>> Your argument is bogus - see above... again, a basic, properly
>> configured firewall has negligible impact on pretty much any systems
>> resources, even ancient ones...
>> 
>> So, yeah, enabling a firewall on a mail server is essentially free,
>> whether talking impact on system resources, or dollar cost.
>
> Why would I threaten the much-loved near-instantaneous response of my mail 
> servers by spending resources there that are better spent on my border 
> routers, whose CPUs sit at 90% idle time unless they're doing a BGP update?

Because even a firewall with a huge list of hosts to block will be faster 
then handling a ton of bogus logins from bots and script kiddies.

Because a border router can't tell if a connection coming from an IP is 
bad or not without deep packet inspection, and of course you have the 
results on the mail server itself. Also blocking all of these bogus 
requests at the iptables level will stop them from using any further 
resources.

You're right, it's not 'free', but the costs of doing it are cheaper then 
having to handle a tons of bogus authentication, and the consequences less 
dire if they actually manage to find a working login name and password.

If they do find a working login name and password they are going to start 
hitting the SMTP server with it and then if they do get it to be in relay 
mode (either through SMTP AUTH or POP-before-SMTP) then you'll end up 
spewing spam and that will cost you a lot more resources then the firewall 
ever will.


More information about the dovecot mailing list