Re: [fw-wiz] Rules for mailserver which is in internet zone ??

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Security dumming down - the king's clothes"
• In reply to: Dilip M: "[fw-wiz] Rules for mailserver which is in internet zone ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 12 Dec 2003 08:29:08 -0500 (EST)

Dilip M <dilipm@bristolindia.com> wrote:
>
>
> Hi,
>
> Consider that my mail machine is in internet zone and i do pop directly
> from that machine.
> What is a best rules to have on it to be secure??

I'm guessing you mean, by that, that you want to access the machine
from the outside? Via the Internet?

I would move the POP server to a dedicated machine on a third network.
E.g.:

  'net --- FW --- secure LAN
           |
           | semi-secure 3rd network
           |
          POP
         server

for starters. That machine would be locked-down, running nothing *but*
popd. (And smtpd--see following.)

Secondly: You're going to need SMTP access to the same machine, no?
Else how will clients *send* email? I don't think you want to poke a
hole for SMTP through your firewall to your inside machine, on your
"secure LAN," do you?

Speaking of SMTP: No matter which way you handle that, how will you
handle identification/authentication to make sure clients using your
SMTP server are *yours*, and not a spammer/cracker (attempting to)
abuse it? SMTP AUTH (along with some IP-based restrictions to at least
broad network ranges, if possible) would be your friend there, I should
think. Or at least POP-before-SMTP.

This way, if your client email services machine is compromised, all
that's at risk is your 3rd, not-quite-as-secure, network, rather than
your secure LAN.

Speaking of compromise: On the client email services machine, I'd use a
set of services that allowed me to create client email services that
didn't require local user accounts, such as the Cyrus IMAP server
suite, perhaps.

-- 
Jim Seymour                | Spammers sue anti-spammers:
jseymour@LinxNet.com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Security dumming down - the king's clothes"
• In reply to: Dilip M: "[fw-wiz] Rules for mailserver which is in internet zone ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]