[Dovecot] Firewalls are [essentially] free - WAS: Re: Source patches from Apple
nuitari-dovecot at nuitari.net
nuitari-dovecot at nuitari.net
Sat Dec 13 22:02:16 EET 2008
>>
>> Your argument is bogus - see above... again, a basic, properly
>> configured firewall has negligible impact on pretty much any systems
>> resources, even ancient ones...
>>
>> So, yeah, enabling a firewall on a mail server is essentially free,
>> whether talking impact on system resources, or dollar cost.
>
> Why would I threaten the much-loved near-instantaneous response of my mail
> servers by spending resources there that are better spent on my border
> routers, whose CPUs sit at 90% idle time unless they're doing a BGP update?
Because even a firewall with a huge list of hosts to block will be faster
then handling a ton of bogus logins from bots and script kiddies.
Because a border router can't tell if a connection coming from an IP is
bad or not without deep packet inspection, and of course you have the
results on the mail server itself. Also blocking all of these bogus
requests at the iptables level will stop them from using any further
resources.
You're right, it's not 'free', but the costs of doing it are cheaper then
having to handle a tons of bogus authentication, and the consequences less
dire if they actually manage to find a working login name and password.
If they do find a working login name and password they are going to start
hitting the SMTP server with it and then if they do get it to be in relay
mode (either through SMTP AUTH or POP-before-SMTP) then you'll end up
spewing spam and that will cost you a lot more resources then the firewall
ever will.
More information about the dovecot
mailing list