Re: Mail Server in the DMZ question
From: Brian Keefer (chort_at_amaunetsgothique.com)
Date: 05/18/04
- Previous message: Norberto Meijome: "Re: Multi-User Security"
- In reply to: Michael Collette: "Mail Server in the DMZ question"
- Next in thread: Michael Collette: "Re: Mail Server in the DMZ question"
- Reply: Michael Collette: "Re: Mail Server in the DMZ question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: freebsd-security@freebsd.org Date: 17 May 2004 22:57:04 -0700
On Mon, 2004-05-17 at 16:39, Michael Collette wrote:
> Been trying to puzzle through a firewall layout here involving E-Mail. Would
> have thought this was a more common kind of scenario, but I haven't been able
> to Google me up an answer to this one.
>
> At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing
> mail into my secure network. This is a less than optimal setup simply due to
> having to allow traffic from the DMZ into my secure network without a
> proceeding request for that data.
>
> I want to have all the mail held on the server in the DMZ, then have it be
> pulled into the secure network for all my users by some means.
>
> Originally I thought I could just setup a multi-drop box, pull in the mail
> with Fetchmail, then have it delivered to my internal server for processing.
> Seems that there are way too many pitfalls for this setup to reasonably
> support all my users.
>
> I then looked into configuring the DMZ server to hold all mail, then release
> on an ETRN request. From what I've read on this I'm really no better off, as
> I still have to allow port 25 requests into my secure network.
>
> Thanks,
I've seen one site implement UUCP for exactly this reason, but I think
the potential problems with a flaw in UUCP outweigh just using an SMTP
push.
As long as you've locked down your firewall to only allow the mail
gateway to open a connection through to your trusted net on port 25
(i.e. no other DMZ hosts are allow through in this manner) that's about
as good as you can do.
Look at it this way, what are you protecting against? If you're
protecting against mail being sent in, well clearly that will happen
either way. If you're protecting against an attacker that would hijack
the DMZ host and try to attack your internal machine via port 25, well
yes it will stop that, but if the attacker manages to hijack the machine
they're going to be able to do a lot worse things (snoop on all your
mail, possibly capture passwords, etc).
Really, the possibility that an attack would be able to make a
successful attack using only port 25 of your internal host is very
remote, and the possibility that they couldn't do anything else
malicious even though they had hijacked a host is even more remote.
Make sure you're not over architecting your environment and introducing
unnecessary complications for very minimal potential benefit.
-- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Norberto Meijome: "Re: Multi-User Security"
- In reply to: Michael Collette: "Mail Server in the DMZ question"
- Next in thread: Michael Collette: "Re: Mail Server in the DMZ question"
- Reply: Michael Collette: "Re: Mail Server in the DMZ question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
