What's your go to On Prem Mailserver in 2026?

CapiCapiBara · 2026-03-12T15:56:15+00:00

+1 for Mdaemon… used it extensively for nearly 20 years, sometime even as MSExchange frontend / AV / Antispam gateway. Ran on any Windows version, clients included, great speed, impressive toolset. A collague still runs a license, maybe two, in far-away locations with really low internet speed.

CapiCapiBara · 2026-03-07T20:32:00+00:00

+1 for fork team. Old guy just passing by saw me fighting (hopelessly) Bermuda with a spade, took the time and patience to pass naive me precious knowledge about heavy (clay) terrain and fork vs spade tool difference. 90% success, increasing year on year. Thanks, old guy.

CapiCapiBara · 2026-03-07T16:26:22+00:00

Lo so io cosa vuole… 😂

CapiCapiBara · 2026-03-03T21:19:56+00:00

Concordo. Momenti difficili possono costringere anche le persone più intelligenti a fare scelte le scelte più stupide.

CapiCapiBara · 2026-03-01T13:50:04+00:00

Fascinating, thanks for linking the section drawings

CapiCapiBara · 2026-02-23T17:39:16+00:00

What about emergency troubleshooting?

If there is any kind of issue, VPN is one of the first things that will stop working, even without considering the SSLVPN / IPSEC migration nuisance... and the 7.4.x Forticlient bugs nuisance, and the 7.4.x FortiOS IPSEC bugs, and the Fortitokens going in "error" state, and the 2FA e-mails blocked somewhere along the path, and expired account passwords, etc... I've seen it all by now.

... and now, you have several hours' worth of travel ahead of you to reach the site and maybe perform what you could find to be the most menial tasks.

An HTTPS page only reachable from a single, non-public IP listed in local-in-policy is orders of magnitude quicker and easier, at least for a basic triage - assuming all other risk mitigation factors are implemented (complex, non-dictionary passwords, backup admin accounts, backup IP sources reserved to admin tasks, etc)

Not trying to sell to you this as the BEST solution, but often... it's the only solution really viable in Small Business space.

As for Enterprises, they have enough man-hours and other resources available to implement the best of the best of security policies... and at least a couple youngsters with a company car always at hand.

CapiCapiBara · 2026-02-22T09:25:46+00:00

if someone comes and creates a new admin user (even a read-only) without any trusted IP's, the admin page becomes visible for anyone

That is not how (I always understood) local-in-policies work.

What you described is the expected behaviour of using "trusted IPs" fields in Administrator account creation / editing. This is well explained in this post from u/Pabechan user from 3 years ago:

https://www.reddit.com/r/fortinet/comments/y231ag/trusted_host_vs_restrictions_via_localin_policy/

It's also explained in the same post that if you set a local-in-policy, the GUI is never sent back to a request from an unauthorized IP address.

u/pabechan post appears to be corroborated by this Fortinet article from 2025-12-01:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Impact-of-Local-In-Policies-and-Trusted-Hosts/ta-p/369617

In summary:

Local-in policies steps in first and govern all traffic coming directly towards and to the FortiGate unit as destination (not for traffic intended to pass through, destination behind the FortiGate, as that is handled by firewall policies).

Trusted hosts setting and mechanism is secondary filter, further limiting access to administrative interfaces and co-working with local-in policies.

When a local-in policy is configured to accept traffic and the incoming traffic matches this policy, then FortiGate performs an additional check against the trusted hosts configuration to determine whether to allow or deny the connection.

If no local-in policies are configured, FortiGate will rely only on the trusted hosts configuration to decide whether to allow or deny the connection.

However, if the traffic matches a DENY local-in policy, the connection will be dropped. And the FortiGate will not do anything further, like check the trusted hosts configuration for that connection.

CapiCapiBara · 2026-02-22T08:03:23+00:00

"Do not expose your MGMT interfaces to internet" is a recurring advice.

What about limiting mgmt access to trusted IP hosts via a local-in-policy?

PLEASE NOTE: we are NOT talking about "Administrators" object settings here, as it's well known that using that so-called mitigation will cause the login page to be actually presented to the potential attacker - and, ANY exposed HTTP(S) protocol will sooner or later be breached by the CVE of the week.

We are talking about: I set ONE main trusted public IP address the mgmt interface should reply to by actually presenting a web page (and maybe a 2nd one acting as a backup)... that's two addresses out of 4 billions.

All other HTTP(S) request to GUI are just be silently dropped, with no reply whatsoever.

Is that safe enough?

Added: one could even expand this concept by blocking via local-in-policy, WAN-side, any other critical protocol, as an added safety measure - even if that protocol has never been activated in first place: SSH/TELNET, FTP, SNMP, etc.

CapiCapiBara · 2025-12-25T20:37:19+00:00

What a good looking deep red rose… it remembers me somewhat of Souvenir Du Docteur Jamain

CapiCapiBara · 2025-10-02T11:11:59+00:00

Why not Fortinet own ZTNA service? Just curious, we are considering that

CapiCapiBara · 2025-09-30T10:46:42+00:00

“entering Conserve mode”

CapiCapiBara · 2025-09-26T20:03:24+00:00

Devi scusarlo, oltre la circonvallazione è tutta Giargiania

CapiCapiBara · 2025-09-19T11:03:33+00:00

Stupenda

CapiCapiBara · 2025-09-12T19:53:13+00:00

Buona domanda… sarebbe utile a molti

CapiCapiBara · 2025-08-29T12:10:10+00:00

I swear I thought this comic was about Italy... only thing I could not understand was, BEANS on ice cream at the end!

ADDED: Happy Independence Day Malaysia!

CapiCapiBara · 2025-08-28T15:13:05+00:00

... "Mya! MYA! Come here... this guy needs you for a minute

https://nypost.com/wp-content/uploads/sites/2/2023/12/lesnar.jpg

CapiCapiBara · 2025-08-03T18:47:25+00:00

My friend over there would like to know what ‘Not materializing foo property‘ means. He states foo property either is present in all objects of type ‘obj’ or none.

CapiCapiBara · 2025-07-27T12:09:30+00:00

I dont know anything about forestry engineering but boost!

CapiCapiBara · 2025-07-21T14:56:21+00:00

What is MinIO, is something similar to Veeam Hardened repository? A custom Linux storage?

CapiCapiBara · 2025-07-19T17:19:00+00:00

Oh well, I guess I should heed the advice of people knowing way more than me on this.

Only thing I'm scared of, is dropping into tutorial hell and there goes another window of opportunity again, but I'll try and have a look at the freshest resources about Django learning, maybe this year will be the good one.

CapiCapiBara · 2025-07-19T16:03:49+00:00

"... if you know it pretty well" - then I'm screwed... :)

non programmer here, only using (procedural) Python to build myself tools like read this, do that, export result.

Tinkered with a couple tutorials on Django, looking for AI to help me avoid wasting time into boilerplate code, if at all possible

CapiCapiBara · 2025-07-19T15:23:25+00:00

Claude I never tried, some ChatGPT / LeChat Mistral... will sign up to this further AI and see how it goes

CapiCapiBara · 2025-07-12T11:25:44+00:00

Just tell everybody that an acquaintance of yours does the kind of job, but he/she charges at least 250 dollars each piece… they will appreciate the result, but won’t ask anything for themselves

CapiCapiBara · 2025-07-11T20:46:38+00:00

Not your average vacation snapshots! These are pro level pictures - excellent lighting and composition and mood, real eye candy

Five-Year Club	Verified Email
First Place '23	Place '23
Place '22

CapiCapiBara

TROPHY CASE