Re: [Fwd: Re: Down the MPD road]
From: Michael Collette (metrol_at_metrol.net)
Date: 05/13/03
- Previous message: Michael Nottebrock: "Re: xdelta files for security patches"
- In reply to: Bob K: "[Fwd: Re: Down the MPD road]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: FreeBSD Security <freebsd-security@FreeBSD.org> Date: Mon, 12 May 2003 18:52:07 -0700
On Monday 12 May 2003 05:07 pm, Bob K wrote:
> Made a typo in the cc: line. Coffee time, I guess.
Oh boy, this mail had me running for the coffee pot.
> > Is there perhaps some part of this I'm missing?
>
> Workaround: Take a box inside the secure network and have it NAT mail &
> LDAP connections from the MPD'd range to the mail server. Then have
> your MPD'd users use that box.
>
> You can use ipfw+natd to do this; something like:
>
> natd -redirect_address ma.il.ser.ver 0.0.0.0
>
> ipfw add divert 8668 tcp from mpd.ra.ng.es/bits to int.er.nal.ip \
> 25,110,389 in recv enet0
>
> ipfw add divert 8668 tcp from ma.il.ser.ver 25,110,389 to int.er.nal.ip
> in recv enet0
>
> If resources aren't scarce, you could even use the box that's running
> mpd to do it.
It seems I've run into a false alarm. Turns out the user's mail box on the
server had a dinked message which wouldn't let him pull down. Once I fixed
the dinked message, all was well. Even without having remote gateway
enabled.
A bit of a concern here, as by all reasoning it shouldn't be able to hop the
subnet without some way to route the packets. Seems like this is the part in
a How-To where "something magical happens" to the packets.
Your mail did get me thinking that it might work out a bit more securely to
have mpd running in a jail either on the gateway or on a box behind. I can
definitely see where you're going with your suggestion, and even though it
doesn't seem needed now, it might still be a worthwhile lockdown to look
into.
> (if anyone can spot problems with this aside from the accounting
> difficulties, please let me know)
>
> A better solution, methinks, would be an internal mail/ldap server in
> the secure range, with the one in the DMZ doing nothing but relaying
> mail to/from the internal network.
I do have plans to do something very similar to this in the very near future.
I was considering having pop3 running in the DMZ with fetchmail bringing in
from there to a server in the secure network running IMAP. SMTP would have
to remain in the DMZ in order to get a proper reverse DNS for them pickier
servers out there though.
If there's a more creative means for doing this I would LOVE to hear about it.
That, or what other folks might consider best practices for placement of the
mail server within the topography.
Thanks again for a creative idea here.
Later on,
-- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Michael Nottebrock: "Re: xdelta files for security patches"
- In reply to: Bob K: "[Fwd: Re: Down the MPD road]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
